Backups

Running storebackup without root

storebackup can quite easily oveload the computer CPU or completely fill the memory leading to OOM if run as root as no limits on the process are enforced.

It is rather better to run in the user backup to regulate the process. We do this by allowing the backup user to perform some elevated activities and maybe with some alteration to storebackup code to cope with this change.

For your /etc/security/capability.conf

cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid    backup

Then /etc/pam.d/su modified to put auth required pam_cap.so at the beginning.

Now we allow the programs that storebackup needs to work to use these capabilities when they are launched by the backup user. Note there is not +eip so elevated access should only be usable when pam_cap.so sets the access.

We avoided setting it on bash as it breaks fakeroot and we could not then build debian packages. This is done in the cronjob that starts storebackup before switching to user backup and then starting storebackup.

for N in perl cp cat tar rm bzip2 mknod chown mkdir md5sum rmdir mount grep pod2text
do
        setcap cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid+ei `which $N`
done

With capability storebackup should not check if permissions let it read file, just go on and read them, because it can. A small modification is needed:

--- /usr/share/storebackup/lib/fileDir.pl       2012-03-04 07:45:54.000000000 +0000
+++ /usr/share/storebackup/lib/fileDir.pl       2015-02-07 00:53:40.000000000 +0000
@@ -772,6 +771,0 @@
-       unless (-r $entry)
-       {
-           $prLog->print('-kind' => $prLogWarn,
-                         '-str' => ["no permissions to read <$entry>"]);
-           next;
-       }

Finally we can edit /etc/cron.daily/storebackup to start storebackup nightly as user backup and maybe nice the process and set limits on RAM consumption. Also saveRAM=yes is also good for the storebackup job files.

if ! > "${tmplog}" 2>&1 su backup -c 'chrt -i 0 ionice -t -c3 /usr/bin/perl /usr/bin/storeBackup -f '"${file}"

Hopefully storebackup now finds it can do the activities it needs to do, and can also be monitored in top as it works protecting the data.

Offhost backup with rsync

storebackup works well locally, but we need to also store offhost, away from server; out of room good, out of building better, though the other location also should be secure as it has personal data too.

On the server to be backed up:

/etc/systemd/system/rsync.socket

  1. [Unit]
  2. Description=RSYNC Socket for Per-Connection Servers
  3. [Socket]
  4. ListenStream=873
  5. Accept=yes
  6. [Install]
  7. WantedBy=sockets.target

/etc/systemd/system/rsync@.service

  1. [Unit]
  2. Description=RSYNC systemd inet emulation.
  3. ; rsync tries /dev/log
  4. [Service]
  5. ExecStart=-/usr/bin/rsync --daemon --config /etc/rsyncd.conf
  6. StandardInput=socket
  7. IOSchedulingClass=idle
  8. OOMScoreAdjust=500
  9. CPUSchedulingPolicy=idle

/etc/rsyncd.conf

  1. socket options = IPTOS_THROUGHPUT,SO_RCVBUF=0x1000000,SO_SNDBUF=0x1000000
  2. [backups]
  3. uid = root
  4. gid = root
  5. read only = yes
  6. use chroot = no
  7. path = /var/local/backups
  8. hosts allow = 2001:db8::aede:48ff:fe23:4567

On administators desktop PC

This can easily be up irregularly, if it is in a secure place preferably away from the main server with network access to it.

/etc/systemd/system/backup-example.service

  1. [Unit]
  2. Description=backs up examplevia rsync
  3. [Service]
  4. #ExecStartPre=-/sbin/setcap cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid=+ei /usr/bin/rsync
  5. ExecStart=-/usr/bin/rsync -avhRPHAX --no-implied-dirs --sockopts=IPTOS_THROUGHPUT,SO_RCVBUF=0x1000000,SO_SNDBUF=0x1000000 example::backups/2* /var/local/backups
  6. User=backup
  7. PrivateTmp=true
  8. PrivateDevices=true
  9. PrivateNetwork=false
  10. ProtectSystem=true
  11. ProtectHome=true
  12. NoNewPrivileges=true
  13. #CPUSchedulingPolicy=batch
  14. #IOSchedulingClass=idle
  15. StandardInput=null
  16. StandardOutput=journal
  17. StandardError=inherit
  18. AmbientCapabilities=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID

/etc/systemd/system/backup-example.timer

Good to pick a time that system is likely to be up and not too busy

  1. [Unit]
  2. Description=backup example timer
  3. [Timer]
  4. Persistent=true
  5. OnCalendar=*-*-* 19:13:37
  6. [Install]
  7. WantedBy=timers.target

tell systemd to reload all units after edits: systemctl daemon-reload; then activate the timer job now with systemctl start backup-example.timer; and at every boot with systemctl enable backup-example.timer

To start the backup immediately; systemctl start backup-example.service; or wait for the timer job if that is active.