diff --git a/CHANGELOG.md b/CHANGELOG.md index c6d4365..c093720 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security +## [2.4.0] - 2020-08-19 + +### Added + +* New command bkctld upgrade-config to move the legacy config file "/etc/evobackup/" to the new config structure "/etc/evobackup/.d/incs_policy" + +### Changed + +* bkctld-update: start jail after upgrade if it was started before +* bkctld: don't replace SSH host keys when creating/updating a jail +* Split check into check-jails and check-setup +* bkctld-check-jails checks if jails +* bkctld-check-setup checks if the partition is mounted and writable, if firewall is configured and if all jails are in their expected state +* create new ssh keys for new jails instead of copying those from the host + ## [2.3.3] - 2020-05-28 ### Fixed diff --git a/bkctld b/bkctld index 21ee88d..353773b 100755 --- a/bkctld +++ b/bkctld @@ -36,9 +36,13 @@ fi subcommand="${1:-}" case "${subcommand}" in - "inc" | "rm" | "check" | "stats" | "help" | "list") + "inc" | "rm" | "check-jails" | "check-setup" | "stats" | "help" | "list") "${LIBDIR}/bkctld-${subcommand}" ;; + "check") + # backward compatibility + "${LIBDIR}/bkctld-check-jails" + ;; "check-incs") option="${2:-}" if [ "${option}" = "all" ] || [ -z "${option}" ]; then @@ -69,7 +73,7 @@ case "${subcommand}" in "${LIBDIR}/bkctld-${subcommand}" "${jail_name}" "${option}" fi ;; - "start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall") + "start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall" | "upgrade-config") jail_name="${2:-}" if [ "${jail_name}" = "all" ]; then "${LIBDIR}/bkctld-list" | xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}" diff --git a/lib/bkctld-check b/lib/bkctld-check-jails similarity index 61% rename from lib/bkctld-check rename to lib/bkctld-check-jails index 4cd5054..80981f5 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check-jails @@ -14,43 +14,6 @@ nb_ok=0 nb_unkn=0 output="" -# Check if the backup disk is properly mounted - -if [ -b "${BACKUP_DISK}" ]; then - # If backup disk is encrypted, verify that it's open - cryptsetup isLuks "${BACKUP_DISK}" - if [ "$?" -eq 0 ]; then - if [ ! -b '/dev/mapper/backup' ]; then - echo "Luks disk \`${BACKUP_DISK}' is not mounted !\n" - echo "cryptsetup luksOpen ${BACKUP_DISK} backup" - exit 2 - fi - # Change value to real device - BACKUP_DISK='/dev/mapper/backup' - fi - # Verify that it's mounted and writable - findmnt --source ${BACKUP_DISK} -O rw > /dev/null - if [ "$?" -ne 0 ]; then - echo "Backup disk \`${BACKUP_DISK}' is not mounted (or read-only) !\n" - echo "mount ${BACKUP_DISK} /backup" - exit 2 - fi -fi - -# Check if the firewall file is sourced - -minifirewall_config=/etc/default/minifirewall - -if [ -n "${FIREWALL_RULES}" ] \ -&& [ -r "${FIREWALL_RULES}" ] \ -&& [ -f "${minifirewall_config}" ]; then - if ! grep -qE "^(\.|source) ${FIREWALL_RULES}" "${minifirewall_config}"; then - nb_warn=$((nb_warn + 1)) - output="${output}WARNING - Firewall file '${FIREWALL_RULES}' doesn't seem to be sourced by '${minifirewall_config}'\n" - [ "${return}" -le 1 ] && return=1 - fi -fi - # Check each jail status check_jail() { @@ -64,8 +27,8 @@ check_jail() { check_policy_file=$(current_jail_check_policy_file "${jail_name}") if [ -f "${check_policy_file}" ]; then - local_critical=$(read_variable "${check_policy_file}" "CRITICAL") - local_warning=$(read_variable "${check_policy_file}" "WARNING") + local_critical=$(read_numerical_variable "${check_policy_file}" "CRITICAL") + local_warning=$(read_numerical_variable "${check_policy_file}" "WARNING") else unset local_critical unset local_warning diff --git a/lib/bkctld-check-setup b/lib/bkctld-check-setup new file mode 100755 index 0000000..1e68989 --- /dev/null +++ b/lib/bkctld-check-setup @@ -0,0 +1,84 @@ +#!/bin/sh +# +# Run check on jails (NRPE output) +# Usage: check +# + +# shellcheck source=./includes +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" + +return=0 +nb_crit=0 +nb_warn=0 +nb_ok=0 +nb_unkn=0 +output="" + +# Verify backup partition is mounted and writable + +findmnt --mountpoint "${BACKUP_PARTITION}" -O rw > /dev/null +if [ "$?" -ne 0 ]; then + nb_crit=$((nb_crit + 1)) + output="${output}CRITICAL - Backup disk \`/backup' is not mounted (or read-only) !\n" + return=2 +else + nb_ok=$((nb_ok + 1)) + output="${output}OK - Backup disk \`/backup' is mounted and writable.\n" +fi + +# Check if the firewall file is sourced + +minifirewall_config=/etc/default/minifirewall + +if [ -n "${FIREWALL_RULES}" ] \ +&& [ -r "${FIREWALL_RULES}" ] \ +&& [ -f "${minifirewall_config}" ]; then + if grep -qE "^(\.|source) ${FIREWALL_RULES}" "${minifirewall_config}"; then + nb_ok=$((nb_ok + 1)) + output="${output}OK - Firewall file \`${FIREWALL_RULES}' is sourced by \`${minifirewall_config}'.\n" + else + nb_warn=$((nb_warn + 1)) + output="${output}WARNING - Firewall file \`${FIREWALL_RULES}' doesn't seem to be sourced by \`${minifirewall_config}'\n" + [ "${return}" -le 1 ] && return=1 + fi +fi + +# Check if jails are started +nb_on=0 +nb_off=0 +for jail_name in $(jails_list); do + if "${LIBDIR}/bkctld-is-on" "${jail_name}"; then + nb_on=$((nb_on + 1)) + else + expected_state="ON" + check_policy_file=$(current_jail_check_policy_file "${jail_name}") + + if [ -f "${check_policy_file}" ]; then + expected_state=$(read_variable "${check_policy_file}" "EXPECTED_STATE") + fi + if [ "${expected_state}" != "OFF" ]; then + nb_off=$((nb_off + 1)) + fi + fi +done +if [ "${nb_off}" -eq 0 ]; then + output="${output}OK - all jails are in their expected state.\n" +else + output="${output}CRITICAL - ${nb_off} jail(s) shouldn't be OFF !\n" + nb_crit=$((nb_crit + 1)) + [ "${return}" -le 2 ] && return=2 +fi + +[ "${return}" -ge 0 ] && header="OK" +[ "${return}" -ge 1 ] && header="WARNING" +[ "${return}" -ge 2 ] && header="CRITICAL" +[ "${return}" -ge 3 ] && header="UNKNOWN" + +printf "%s - %s UNK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unkn}" "${nb_crit}" "${nb_warn}" "${nb_ok}" + +printf "${output}" | grep -E "^UNKNOWN" +printf "${output}" | grep -E "^CRITICAL" +printf "${output}" | grep -E "^WARNING" +printf "${output}" | grep -E "^OK" + +exit "${return}" diff --git a/lib/bkctld-update b/lib/bkctld-update index c5b4ec2..bc64af2 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -15,8 +15,24 @@ jail_path=$(jail_path "${jail_name}") test -d "${jail_path}" || error "${jail_name}: jail not found" 2 -"${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" +"${LIBDIR}/bkctld-is-on" "${jail_name}" 2>/dev/null +case "$?" in + 0) + jail_initial_status="on" + ;; + 100) + jail_initial_status="off" + ;; + *) + unset jail_initial_status + error "Error evaluating jail \`${jail_name}' state. bkctld-is-on exited with \`$?'" + ;; +esac + +test "${jail_initial_status}" = "on" && "${LIBDIR}/bkctld-stop" "${jail_name}" setup_jail_chroot "${jail_name}" +test "${jail_initial_status}" = "on" && "${LIBDIR}/bkctld-start" "${jail_name}" + notice "Update jail \`${jail_name}' : OK" diff --git a/lib/bkctld-upgrade-config b/lib/bkctld-upgrade-config new file mode 100644 index 0000000..59c8e37 --- /dev/null +++ b/lib/bkctld-upgrade-config @@ -0,0 +1,47 @@ +#!/bin/sh +# +# Update jail or all +# Usage: update |all +# + +# shellcheck source=./includes +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" + +jail_name="${1:?}" +if [ ! -n "${jail_name}" ]; then + "${LIBDIR}/bkctld-help" && exit 1 +fi +jail_path=$(jail_path "${jail_name}") + +test -d "${jail_path}" || error "${jail_name}: jail not found" 2 + +legacy_incs_policy_file="${CONFDIR}/${jail_name}" +incs_policy_file=$(jail_incs_policy_file "${jail_name}") + +if [ -h "${legacy_incs_policy_file}" ]; then + if [ -f "${incs_policy_file}" ]; then + info "${jail_name}: config is already upgraded" + else + warning "${jail_name}: symlink present but inc policy file \`${incs_policy_file}' not found" + fi +elif [ ! -e "${legacy_incs_policy_file}" ] ; then + if [ -f "${incs_policy_file}" ]; then + # create a symlink for backward compatibility + ln -s "${incs_policy_file}" "${legacy_incs_policy_file}" + + info "${jail_name}: config has been symlinked" + else + warning "${jail_name}: inc policy file \`${incs_policy_file}' not found" + fi +elif [ -f "${legacy_incs_policy_file}" ]; then + # Create directory if missing + mkdir -p "$(jail_config_dir "${jail_name}")" + # move the main config file + mv "${legacy_incs_policy_file}" "${incs_policy_file}" + # create a symlink for backward compatibility + ln -s "${incs_policy_file}" "${legacy_incs_policy_file}" + # create a check_policy file if missing + touch "$(jail_check_policy_file "${jail_name}")" + + info "${jail_name}: config has been upgraded" +fi diff --git a/lib/includes b/lib/includes index 6ba6fec..639dd3f 100755 --- a/lib/includes +++ b/lib/includes @@ -7,12 +7,13 @@ LIBDIR=${LIBDIR:-/usr/lib/bkctld} CONFDIR="${CONFDIR:-/etc/evobackup}" BACKUP_DISK="${BACKUP_DISK:-}" -JAILDIR="${JAILDIR:-/backup/jails}" -INCDIR="${INCDIR:-/backup/incs}" +BACKUP_PARTITION="${BACKUP_PARTITION:-/backup}" +JAILDIR="${JAILDIR:-${BACKUP_PARTITION}/jails}" +INCDIR="${INCDIR:-${BACKUP_PARTITION}/incs}" TPLDIR="${TPLDIR:-/usr/share/bkctld}" LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}" LOCKDIR="${LOCKDIR:-/run/lock/bkctld}" -INDEX_DIR="${INDEX_DIR:-/backup/index}" +INDEX_DIR="${INDEX_DIR:-${BACKUP_PARTITION}/index}" IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}" SSHD_PID="${SSHD_PID:-/run/sshd.pid}" SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}" @@ -225,7 +226,16 @@ setup_jail_chroot() { umask 077 info "1 - Creating the chroot" - rm -rf ./bin ./lib ./lib64 ./run ./usr ./var/run ./etc/ssh/*key + + rm -rf ./bin + rm -rf ./lib + rm -rf ./lib64 + rm -rf ./run + rm -rf ./usr + rm -rf ./var/run + # Let's not delete the existing SSH host keys, + # otherwise the clients will have to accept the new keys + mkdir -p ./dev mkdir -p ./proc mkdir -p ./usr/bin @@ -241,18 +251,22 @@ setup_jail_chroot() { mkdir -p ./root/.ssh --mode 0700 # shellcheck disable=SC2174 mkdir -p ./var/backup --mode 0700 + ln -s ./usr/bin ./bin ln -s ./usr/lib ./lib ln -s ./usr/lib64 ./lib64 ln -s --target-directory=./var ../run + touch ./var/log/lastlog ./var/log/wtmp ./run/utmp info "2 - Copying essential files" - [ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key ./etc/ssh - [ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key ./etc/ssh - [ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key ./etc/ssh + + # Generate SSH host keys is missing + ssh-keygen -A -f "${jail_path}" + touch "./${AUTHORIZED_KEYS}" chmod 600 "./${AUTHORIZED_KEYS}" + cp "${passwd}" ./etc cp "${shadow}" ./etc cp "${group}" ./etc @@ -262,7 +276,19 @@ setup_jail_chroot() { cp -f /lib/ld-linux.so.2 ./lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 ./lib64 cp /lib/x86_64-linux-gnu/libnss* ./lib/x86_64-linux-gnu - for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do + for dbin in \ + /bin/sh \ + /bin/ls \ + /bin/mkdir \ + /bin/cat \ + /bin/rm \ + /bin/sed \ + /usr/bin/rsync \ + /usr/bin/lastlog \ + /usr/bin/touch \ + /usr/sbin/sshd \ + /usr/lib/openssh/sftp-server\ + ; do cp -f "${dbin}" "./${dbin}"; for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do cp -p "${lib}" "./${lib}" @@ -337,6 +363,15 @@ read_variable() { file=${1:?} var_name=${2:?} + pattern="^\s*${var_name}=.+" + + grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2 +} + +read_numerical_variable() { + file=${1:?} + var_name=${2:?} + pattern="^\s*${var_name}=-?[0-9]+" grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2 diff --git a/test/checks.bats b/test/checks.bats index 77a7b4a..f8e5c85 100644 --- a/test/checks.bats +++ b/test/checks.bats @@ -3,33 +3,38 @@ load test_helper -@test "Check OK for default values" { - touch "${JAILPATH}/var/log/lastlog" - # With default values (2 days critical, 1 day warning), - # a freshly connected jail should be "ok" - run /usr/lib/bkctld/bkctld-check +@test "Check jails OK" { + run /usr/lib/bkctld/bkctld-check-jails assert_equal "0" "$status" } -@test "Check WARNING for default values" { +@test "Check jails OK for default values" { + touch "${JAILPATH}/var/log/lastlog" + # With default values (2 days critical, 1 day warning), + # a freshly connected jail should be "ok" + run /usr/lib/bkctld/bkctld-check-jails + assert_equal "0" "$status" +} + +@test "Check jails WARNING for default values" { lastlog_date=$(date -d -2days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" # With default values (2 days critical, 1 day warning), # a 2 days old jail should be "warning" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "1" "$status" } -@test "Check CRITICAL for default values" { +@test "Check jails CRITICAL for default values" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" # With default values (2 days critical, 1 day warning), # a 3 days old jail should be "critical" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "2" "$status" } -@test "Check OK for custom values" { +@test "Check jails OK for custom values" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -39,11 +44,11 @@ WARNING=96 OUT # With custom values (5 days critical, 4 days warning), # a 3 days old jail should be "ok" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "0" "$status" } -@test "Check WARNING for custom values" { +@test "Check jails WARNING for custom values" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -53,11 +58,11 @@ WARNING=48 OUT # With custom values (4 days critical, 3 days warning), # a 3 days old jail should be "warning" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "1" "$status" } -@test "Check CRITICAL for custom values" { +@test "Check jails CRITICAL for custom values" { lastlog_date=$(date -d -10days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -67,11 +72,11 @@ WARNING=48 OUT # With custom values (4 days critical, 3 days warning), # a 10 days old jail should be "critical" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "2" "$status" } -@test "Check OK for disabled WARNING" { +@test "Check jails OK for disabled WARNING" { lastlog_date=$(date -d -2days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -80,11 +85,11 @@ WARNING=0 OUT # With custom values (warning disabled, default critical), # a 2 days old jail should still be "ok" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "0" "$status" } -@test "Check WARNING for disabled CRITICAL" { +@test "Check jails WARNING for disabled CRITICAL" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -93,11 +98,11 @@ CRITICAL=0 OUT # With custom values (critical disabled, default warning), # a 3 days old jail should only be "warning" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "1" "$status" } -@test "Custom values are parsed with only integers after equal" { +@test "Custom jails values are parsed with only integers after equal" { lastlog_date=$(date -d -3days --iso-8601=seconds) touch --date="${lastlog_date}" "${JAILPATH}/var/log/lastlog" @@ -106,7 +111,7 @@ CRITICAL=0 # foo OUT # With custom values (critical disabled, default warning), # a 3 days old jail should only be "warning" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "1" "$status" } @@ -119,7 +124,7 @@ OUT OUT # With commented custom values (critical disabled), # a 3 days old jail should still be "critical" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "2" "$status" } @@ -132,40 +137,85 @@ CRITICAL=foo OUT # With commented custom values (critical disabled), # a 3 days old jail should still be "critical" - run /usr/lib/bkctld/bkctld-check + run /usr/lib/bkctld/bkctld-check-jails assert_equal "2" "$status" } -@test "Check WARNING if firewall rules are not sourced" { +@test "Check setup WARNING if firewall rules are not sourced" { + /usr/lib/bkctld/bkctld-start ${JAILNAME} + firewall_rules_file="/etc/firewall.rc.jails" set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}" echo "" > "${firewall_rules_file}" # Without sourcing echo "" > "/etc/default/minifirewall" - # … the check should be "critical" - run /usr/lib/bkctld/bkctld-check + # … the check should be "warning" + run /usr/lib/bkctld/bkctld-check-setup assert_equal "1" "$status" } -@test "Check OK if firewall rules are sourced" { +@test "Check setup OK if firewall rules are sourced" { + /usr/lib/bkctld/bkctld-start ${JAILNAME} + firewall_rules_file="/etc/firewall.rc.jails" set_variable "/etc/default/bkctld" "FIREWALL_RULES" "${firewall_rules_file}" echo "" > "${firewall_rules_file}" # Sourcing file with '.' echo ". ${firewall_rules_file}" > "/etc/default/minifirewall" - # … the check should be "critical" - run /usr/lib/bkctld/bkctld-check + # … the check should be "ok" + run /usr/lib/bkctld/bkctld-check-setup assert_equal "0" "$status" # Sourcing file with 'source' echo "source ${firewall_rules_file}" > "/etc/default/minifirewall" - # … the check should be "critical" - run /usr/lib/bkctld/bkctld-check + # … the check should be "ok" + run /usr/lib/bkctld/bkctld-check-setup assert_equal "0" "$status" } +@test "Check setup CRITICAL if jail is stopped" { + run /usr/lib/bkctld/bkctld-check-setup + assert_equal "2" "$status" +} + +@test "Check setup OK if all jails are started" { + /usr/lib/bkctld/bkctld-start ${JAILNAME} + + run /usr/lib/bkctld/bkctld-check-setup + assert_equal "0" "$status" +} + +@test "Check setup OK if jail is supposed to be stopped" { + cat > "/etc/evobackup/${JAILNAME}.d/check_policy" < /home/mysqldump/all_grants.sql + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/ + # pt-show-grants --flush --no-header > ${LOCAL_BACKUP_DIR}/mysql/all_grants.sql ## example with SQL dump (schema only, no data) for each databases - # mkdir -p -m 700 /home/mysqldump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/ # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do - # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > /home/mysqldump/${i}.schema.sql + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --no-data --databases $i > ${LOCAL_BACKUP_DIR}/mysql/${i}.schema.sql # done ## example with compressed SQL dump (with data) for each databases - # mkdir -p -m 700 /home/mysqldump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/ # for i in $(mysql --defaults-extra-file=/etc/mysql/debian.cnf -P 3306 -e 'show databases' -s --skip-column-names \ # | egrep -v "^(Database|information_schema|performance_schema|sys)"); do - # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > /home/mysqldump/${i}.sql.gz + # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -P 3306 --events --hex-blob $i | gzip --best > ${LOCAL_BACKUP_DIR}/mysql/${i}.sql.gz # done ## example with *one* uncompressed SQL dump for *one* database (MYBASE) - # mkdir -p -m 700 /home/mysqldump/MYBASE - # chown -RL mysql /home/mysqldump/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysql/MYBASE + # chown -RL mysql ${LOCAL_BACKUP_DIR}/mysql/ # mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --force -Q \ - # --opt --events --hex-blob --skip-comments -T /home/mysqldump/MYBASE MYBASE + # --opt --events --hex-blob --skip-comments -T ${LOCAL_BACKUP_DIR}/mysql/MYBASE MYBASE ## example with mysqlhotcopy - # mkdir -p -m 700 /home/mysqlhotcopy/ - # mysqlhotcopy BASE /home/mysqlhotcopy/ + # mkdir -p -m 700 ${LOCAL_BACKUP_DIR}/mysqlhotcopy/ + # mysqlhotcopy BASE ${LOCAL_BACKUP_DIR}/mysql/mysqlhotcopy/ ## example for multiples MySQL instances # mysqladminpasswd=$(grep -m1 'password = .*' /root/.my.cnf|cut -d" " -f3) @@ -229,7 +229,14 @@ if [ "${LOCAL_TASKS}" = "1" ]; then ## Redis ## example with copy .rdb file + ## for the default instance : # cp /var/lib/redis/dump.rdb ${LOCAL_BACKUP_DIR}/ + ## for multiple instances : + # for instance in $(ls -d /var/lib/redis-*); do + # name=$(basename $instance) + # mkdir -p ${LOCAL_BACKUP_DIR}/${name} + # cp -a ${instance}/dump.rdb ${LOCAL_BACKUP_DIR}/${name} + # done ## ElasticSearch @@ -368,7 +375,7 @@ if [ "${SYNC_TASKS}" = "1" ]; then # ignore check because we want it to split the different arguments to $rep # shellcheck disable=SC2086 - rsync -avzh --stats --delete --delete-excluded --force --ignore-errors --partial \ + rsync -avzh --relative --stats --delete --delete-excluded --force --ignore-errors --partial \ --exclude "lost+found" \ --exclude ".nfs.*" \ --exclude "/var/log" \