Managing SSH chroots to backup a lot of machines
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

3.7 KiB

BKCTLD(8) - System Manager's Manual


bkctld - tool to manage evobackup jails


bkctld [operand...]


bkctld is a shell script that creates and manages a backup server which can handle the backups of many other servers (clients).

It uses ssh(1) and chroot(8) to sandbox every client's backups. Each client will upload it's data every day using rsync(1) in it's chroot(8) (using the root account).

Prior backups are stored incrementally outside of the chroot(8) using ln(1) hard links or BTRFS snapshots. (So they can not be affected by the client), which backups are kept over time can be configured in the jail's nominal evobackup-incl(5) configuration file.

A large enough volume must be mounted on /backup, if the filesystem is formatted with BTRFS, bkctld will use sub-volumes and snapshots to save space.

It's default settings can be overridden in bkctld.conf(5) file.

The following operands are available:

init jailname

Create an evobackup jail

update all | jailname

Update an evobackup jail

remove all | jailname

Remove an evobackup jail

start all | jailname

Start an evobackup jail

stop all | jailname

Stop an evobackup jail

reload all | jailname

Reload an evobackup jail

restart all | jailname

Restart an evobackup jail

sync all | jailname

Sync an evobackup jail, the mirror server is defined by the $NODE variable in /etc/default/bkctld

status [jailname]

Print the status of all jails or only [jailname].

key jailname [keyfile]

Print or set the ssh(1) public key of an evobackup jail

port jailname [auto | port]

Print or set the ssh(1) [port] of an evobackup jail. Using [auto] will set it to the next available port.

ip jailname [all | address]

Print or set the whitelisted IP [address] for an evobackup jail. [all] allows unrestricted access and is the default.


Generate incremental backups


Remove old incremental backups



Template for bkctld.conf(5)


Default rules for the incremental backups are stored here.


Before creating a jail and backing up a client, the backup server administrator will need:

  • The host name of the client system.

  • The public RSA ssh(1) key for the "root" user of the client system, it is recommended the private key be password-less if automation is desired.

  • The IPv4 address of the client system is needed if the administrator wishes to maintain a whitelist, see FIREWALL_RULES in bkctld.conf(5)

He can then create the jail:

# bkctld init <JAIL_NAME>
# bkctld key <JAIL_NAME> /root/<JAIL_NAME>.pub
# bkctld ip <JAIL_NAME> <IP_OR_CIDR>
# bkctld start <JAIL_NAME>
# bkctld status <JAIL_NAME>

And override the default evobackup-incl(5) rules

# $EDITOR /etc/evobackup/<JAIL_NAME>.d/incs_policy

To sync itself, the client server will need to install rsync(1). It can then be run manually:

# rsync -av -e "ssh -p <JAIL_PORT>" /home/ root@<BACKUP_SERVER>:/var/backup/home/

If a more automated setup is required, a script can be written in any programming language. In this case, it may be useful to validate the backup server's identity before hand.

# ssh -p <JAIL_PORT> root@<BACKUP_SERVER> -t exit

A bash(1) example to be run under the "root" user's crontab(5) can be found in the source repository


rsync(1), ssh-keygen(1), bkctld(5), evobackup-incl(5), chroot(8), cron(8), sshd(8)


Victor Laborie

OpenBSD 6.4 - December 27, 2018