Re: [BackupPC-users] Pluggable setup
On Sun, Mar 15, 2015 at 6:57 AM, Mauro Condarelli mc5...@mclink.it wrote: Hi All, I already sent this Yesterday, but I didn't see it on the list (and neither saw any answer), so I'm resending it. Pardon me if You see it twice. Hi, I need to backup a large (6T+) NAS on some removable storage. Since I have lots of duplicates I would really like to use BackupPC for the task. I would thus like to set-up several external hard drives (2T) with BackupPC each dedicated to backup a subset of the NAS. When one of the removables is connected I would like to (automatically) start the pertinent backup. Is this configuration supported somehow? What are the Best Practices in this usage case? NOTE: I know I will lose deduplication across different sections, but the effect can be lessened by thoughtful partitioning and I can live with that. I think no one answered because no else one is doing it that way. I'd either try some of the newer 5TB externals and hope the dedup/compression is enough to hold the whole thing or do an install from the sourceforge tarball on each of your smaller hard drives. Doing your own install instead using a packaged version lets you pick the location for all of the components so you can make sure everything involved has separate copies on each drive. And then you'll need some sort of script to start it up - and maybe you can find a way to make that autoexecute when the drive is connected. -- Les Mikesell lesmikes...@gmail.com -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Setup of rsync via SSH with unprivileged user 'backuppc'
On 2015-03-15 12:40, Adam Goryachev wrote: On 14/03/2015 22:08, Angus Kerr wrote: [...] #Sudoers file for backuppc user to run rsync backuppc ALL=NOPASSWD: /usr/bin/rsync Note that this will give the user root access easily enough. The user could create the file they want in /tmp, and then use sudo rsync to overwrite the target file (or copy a file they don't have read access to a location they do have access, including another machine). Therefore, this entire process is hardly worth the effort and additional complexity [...] A lot of sources at least agree on that being unsafe. AFAIK rrsync should be the proper way and justify the effort. e.g. http://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/ Regards, Benjamin -- FSU Jena | JULIELab.de/Staff/Benjamin+Redling.html vox: +49 3641 9 44323 | fax: +49 3641 9 44321 -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
[BackupPC-users] Pluggable setup
Hi All, I already sent this Yesterday, but I didn't see it on the list (and neither saw any answer), so I'm resending it. Pardon me if You see it twice. Hi, I need to backup a large (6T+) NAS on some removable storage. Since I have lots of duplicates I would really like to use BackupPC for the task. I would thus like to set-up several external hard drives (2T) with BackupPC each dedicated to backup a subset of the NAS. When one of the removables is connected I would like to (automatically) start the pertinent backup. Is this configuration supported somehow? What are the Best Practices in this usage case? NOTE: I know I will lose deduplication across different sections, but the effect can be lessened by thoughtful partitioning and I can live with that. TiA Mauro -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Setup of rsync via SSH with unprivileged user 'backuppc'
On 14/03/2015 22:08, Angus Kerr wrote: Hi I really struggled to get this working. I thought it might be a good idea to update the section. I've edited the ssh section to tailor it specifically to cater for an unprivileged user 'backuppc' As root use visudo to create a sudoers file for backuppc, but with permissions only to run rsync. visudo -f /etc/sudoers.d/backuppc Copy the following text in the file and save it #Sudoers file for backuppc user to run rsync backuppc ALL=NOPASSWD: /usr/bin/rsync Note that this will give the user root access easily enough. The user could create the file they want in /tmp, and then use sudo rsync to overwrite the target file (or copy a file they don't have read access to a location they do have access, including another machine). Therefore, this entire process is hardly worth the effort and additional complexity IMHO. touch /home/backuppc/.ssh/authorized_keys2 cat BackupPC_id_rsa.pub /home/backuppc/authorized_keys2 Why touch the file when the next command will create it anyway (if it didn't exist)? BTW, on every system I've seen, the file should be called authorized_keys without the 2 on the end. You need to place each client's public key into backuppc's |~/.ssh/known_hosts| file, otherwise you will get a Host key verification failed. error, and backuppc will not be able to log into the client. To place the client key into the |~/.ssh/known_hosts| file, you need to do this (make sure |~/.ssh/client_id_rsa.pub| is the client's public key, which needs to be copied from the client): As user backuppc touch ~/.ssh/known_hosts cat ~/.ssh/Fred-pc_rsa.pub ~/.ssh/known_hosts Repeat this step to add each client's key i.e. Mary-pc_rsa.pub and whatever the other keys are named. You might be prompted the first time to accept the client's host key and you might be prompted for backuppc's password on the client. Make sure that this command runs cleanly with no prompts after the first time. You might need to check |/etc/hosts.equiv| on the client. Look at the man pages for more information. The |-v| option to ssh is a good way to get detailed information about what fails. If you added the key to the known_hosts file, then you wouldn't get prompted to accept the hosts key. If you are going to manually test/accept the key, then you may as well not waste time messing around with it in the first place. The above configuration means that the only command that backuppc can run is rsync. Until they use rsync to replace the /etc/sudoers file with whatever they want BTW, thank you for the write up, I'm sure it will be useful and helpful for many people, just pointing out that additional obscurity doesn't necessarily mean it is more secure. Regards, Adam -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Wake-on-LAN setup - no ping response
Hi, Russ Russ wrote on 2015-03-06 09:07:30 +0300 [[BackupPC-users] Wake-on-LAN setup - no ping response]: [...] I have backuppc server on Gentoo which works fine with regular client backups. Now I am configuring wake-on-lan to wake windows clients up before backup. [...] 3. Appropriate 777 rights have been granted to wolping.sh. a=rwx is hardly appropriate. Actually, having 'others' being able to modify the script is an attack waiting to happen. Anyone at all with access to the machine can put anything they want into the script and just have to wait for it to be executed by the BackupPC daemon with its associated privileges. That is basically the same as giving anyone a free backuppc uid shell, including full access to all backups and presumably root access to all client machines you are backing up. Not necessarily a good idea ;-). I don't believe BackupPC actually checks the permissions before executing the PingCmd (or any other), but I wouldn't blame *anything* (BackupPC, Perl, bash, kernel) for blandly refusing to execute a world-writable file as a general security measure. This is output of ls ???l: -rwxrwxrwx 1 backuppc backuppc 1246 12:00 wolping.sh The ownership looks good enough, though 'root:root' might be more suitable, now you just have to 'chmod go-w' it. And afterwards check it has not been modified. We'll just assume no malicious party has the file opened for writing across your chmod and review, but for the record I'll mention the theoretical possibility. Curious that your 'ls -l' output contains no date :-). 4. I have tested wolping.sh and it works great from terminal under backuppc user Well, you use 'sudo'. You haven't by chance previously input a sudo password in your terminal session? You are sure you are executing /usr/local/bin/wolping.sh and not a different version of the script somewhere in your path? ;-) What is the return code of the script when you execute it from a shell? Your standard shell usually doesn't tell you if you don't ask explicitly, but it might make a difference for BackupPC. Seems that backuppc does not even fire the script as ???logger??? does not appear in tail -f /var/log/messages You should see more in BackupPC's log files. I don't regularly use the 'logger' command, so I'm not familiar with its intricacies. Is it not called, or does it fail to log, or does it log somewhere else than you are looking? Does the command line invocation of wolping.sh cause a log entry (in /var/log/messages)? Looking at your script, I am wondering what your $Conf{PingCmd} looks like (out of habit, I'd also like to see $Conf{PingPath}). It's obviously not the default ('$pingPath -c 1 $host'), because you get your host name from $5: [...] WAKEHOST=$5 [...] function fwol { TO_WAKEUP=$1 (apparently never used) sudo $ETHWAKE $1 I suppose you've got an entry similar to this in your /etc/sudoers: backuppc ALL=NOPASSWD: /sbin/etherwake -i enp3s0 * You use different invocations of the ping command - is that intentional? [...] $PING $ARG1 $ARG2 $ARG3 $ARG4 $WAKEHOST /dev/null 21 $PING $ARG1 $ARG2 $WAKEHOST $PING $ARG1 $ARG2 $ARG3 $ARG4 $WAKEHOST Wouldn't it make more sense to control that in the script and call it with the parameters that are truely variable, e.g. wolping.sh hostname interval Your script is implying semantics for $ARG3 and $ARG4, so you can't really configure PingCmd to use wolping.sh with arbitrary 'ping' switches (let alone a variable number of them) in arbitrary order, as it might first appear. You might also want to replace the sleep command with a fancy ping invocation to be more adaptive to the time an individual host actually requires to boot. You could experiment with something like ping -i 10 -c 18 -A -q hostname which should wait at most 180 seconds (like your sleep command), probe your host in 10 second intervals and terminate shortly after the host begins to respond. That way, you could increase the tolerance (raise the -c argument) to accomodate for slow hosts and yet not have to unnecessarily wait for a fixed long time for fast hosts. Of course, you would also wait the maximum time for hosts which simply fail to wake up. Hope that helps. Regards, Holger -- Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/