Managing SSH chroots to backup a lot of machines
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

179 lines
4.1 KiB

  1. .Dd December 27, 2018
  2. .Dt BKCTLD 8
  3. .Os
  4. .Sh NAME
  5. .Nm bkctld
  6. .Nd tool to manage evobackup jails
  7. .Sh SYNOPSIS
  8. .Nm
  9. .Op Ar operand...
  10. .Sh DESCRIPTION
  11. .Nm
  12. is a shell script that creates and manages a backup server
  13. which can handle the backups of many other servers (clients).
  14. .Pp
  15. It uses
  16. .Xr ssh 1
  17. and
  18. .Xr chroot 8
  19. to sandbox every client's backups.
  20. Each client will upload it's data every day
  21. using
  22. .Xr rsync 1
  23. in it's
  24. .Xr chroot 8
  25. (using the root account).
  26. .Pp
  27. Prior backups are stored incrementally outside of the
  28. .Xr chroot 8
  29. using
  30. .Xr ln 1
  31. hard links or BTRFS snapshots.
  32. (So they can not be affected by the client),
  33. which backups are kept over time can be configured in the jail's nominal
  34. .Xr evobackup-incl 5
  35. configuration file.
  36. .Pp
  37. A large enough volume must be mounted on
  38. .Pa /backup ,
  39. if the filesystem is formatted with BTRFS,
  40. .Nm
  41. will use sub-volumes and snapshots to save space.
  42. .Pp
  43. It's default settings can be overridden in
  44. .Xr bkctld.conf 5
  45. file.
  46. .Pp
  47. The following operands are available:
  48. .Bl -tag -width Ds
  49. .It Cm init Ar jailname
  50. Create an evobackup jail
  51. .It Cm update Cm all | Ar jailname
  52. Update an evobackup jail
  53. .It Cm remove Cm all | Ar jailname
  54. Remove an evobackup jail
  55. .It Cm start Cm all | Ar jailname
  56. Start an evobackup jail
  57. .It Cm stop Cm all | Ar jailname
  58. Stop an evobackup jail
  59. .It Cm reload Cm all | Ar jailname
  60. Reload an evobackup jail
  61. .It Cm restart Cm all | Ar jailname
  62. Restart an evobackup jail
  63. .It Cm sync Cm all | Ar jailname
  64. Sync an evobackup jail, the mirror server is defined by the
  65. .Ev $NODE
  66. variable in
  67. .Pa /etc/default/bkctld
  68. .It Cm status Op Ar jailname
  69. Print the status of all jails or only
  70. .Op Ar jailname .
  71. .It Cm key Ar jailname Op Ar keyfile
  72. Print or set the
  73. .Xr ssh 1
  74. public key of an evobackup jail
  75. .It Cm port Ar jailname Op Cm auto | Ar port
  76. Print or set the
  77. .Xr ssh 1
  78. .Op Ar port
  79. of an evobackup jail.
  80. Using
  81. .Op Cm auto
  82. will set it to the next available port.
  83. .It Cm ip Ar jailname Op Cm all | Ar address
  84. Print or set the whitelisted IP
  85. .Op Ar address
  86. for an evobackup jail.
  87. .Op Cm all
  88. allows unrestricted access and is the default.
  89. .It Cm inc
  90. Generate incremental backups
  91. .It Cm rm
  92. Remove old incremental backups
  93. .El
  94. .Sh FILES
  95. .Bl -tag -width Ds
  96. .It Pa /etc/default/bkctld
  97. Template for
  98. .Xr bkctld.conf 5
  99. .It Pa /usr/share/bkctld/incl.tpl
  100. Default rules for the incremental backups are stored here.
  101. .El
  102. .Sh EXAMPLES
  103. Before creating a jail and backing up a client,
  104. the backup server administrator will need:
  105. .Bl -bullet
  106. .It
  107. The host name of the client system.
  108. .It
  109. The public RSA
  110. .Xr ssh 1
  111. key for the
  112. .Dq root
  113. user of the client system,
  114. it is recommended the private key be password-less if automation is desired.
  115. .It
  116. The IPv4 address of the client system is needed
  117. if the administrator wishes to maintain a whitelist,
  118. see
  119. .Va FIREWALL_RULES
  120. in
  121. .Xr bkctld.conf 5
  122. .El
  123. .Pp
  124. He can then create the jail:
  125. .Bd -literal -offset indent
  126. # bkctld init CLIENT_HOST_NAME
  127. # bkctld key CLIENT_HOST_NAME /root/CLIENT_HOST_NAME.pub
  128. # bkctld ip CLIENT_HOST_NAME CLIENT_IP_ADDRESS
  129. # bkctld start CLIENT_HOST_NAME
  130. # bkctld status CLIENT_HOST_NAME
  131. .Ed
  132. .Pp
  133. And override the default
  134. .Xr evobackup-incl 5
  135. rules
  136. .Bd -literal -offset indent
  137. # $EDITOR /etc/evobackup/CLIENT_HOST_NAME
  138. .Ed
  139. .Pp
  140. To sync itself,
  141. the client server will need to install
  142. .Xr rsync 1 .
  143. It can then be run manually:
  144. .Bd -literal -offset indent
  145. # rsync -av -e "ssh -p JAIL_PORT" /home/ root@BACKUP_SERVER:/var/backup/home/
  146. .Ed
  147. .Pp
  148. If a more automated setup is required,
  149. a script can be written in any programming language.
  150. In this case,
  151. it may be useful to validate the backup server's identity before hand.
  152. .Bd -literal -offset indent
  153. # ssh -p JAIL_PORT BACKUP_SERVER
  154. .Ed
  155. .Pp
  156. A
  157. .Xr bash 1
  158. example to be run under the
  159. .Dq root
  160. user's
  161. .Xr crontab 5
  162. can be found in the
  163. .Lk https://gitea.evolix.org/evolix/evobackup/src/branch/master/zzz_evobackup "source repository"
  164. .\" .Sh EXIT STATUS
  165. .\" For sections 1, 6, and 8 only.
  166. .\" .Sh DIAGNOSTICS
  167. .\" For sections 1, 4, 6, 7, 8, and 9 printf/stderr messages only.
  168. .Sh SEE ALSO
  169. .Xr rsync 1 ,
  170. .Xr ssh-keygen 1 ,
  171. .Xr bkctld 5 ,
  172. .Xr evobackup-incl 5 ,
  173. .Xr chroot 8 ,
  174. .Xr cron 8 ,
  175. .Xr sshd 8
  176. .Sh AUTHORS
  177. .An Victor Laborie
  178. .\" .Sh CAVEATS
  179. .\" .Sh BUGS