Hi James, Since remote root logins are not allowed, maybe you could consider to backup the system to an external storage device. I have attached a mini-howto. I hope you find it useful.
MINI-HOWTO backup data in a encrypted storage device ==================================================== Author: Rodolfo Martinez <[email protected]> Objectives ---------- * File system backups to an external storage device. * The storage device has to be encrypted. * Incremental backups. * 7-day retention period. Hardware requirements --------------------- * An external storage device, like a USB hard drive. The size will depend on how much information you want to backup and the retention period. Software requirements --------------------- * bash * rsync * cryptsetup-luks http://clemens.endorphin.org/ http://code.google.com/p/cryptsetup/ A utility for setting up encrypted filesystems using Device Mapper and the dm-crypt target. cryptsetup is usually part of any "modern" GNU/Linux distribution. Limitations ----------- * For certain applications, like data bases, or any other application that has its own cache handler (DIRECT_O), a file system backup is NOT an option. Initialize the storage device with LUKS support ----------------------------------------------- I will assume that your external storage device was recognised as /dev/sdb. Of course you can configure udev to have the same device name always; for example, /dev/backup. IMPORTANT: Use a good password, you know what I mean, something like, Mt9%I?!RnXE1_lL9O41j NOTE: You can specify a specific cipher using the -c option; for example, -c aes-cbc-essiv:sha256 cryptsetup -y -h sha512 -s 256 luksFormat /dev/sdb Open the external storage device -------------------------------- cryptsetup luksOpen /dev/sdb encrypted You will need to type the password that you used in the previous step. Now, there should be a "encrypted" block device in the /dev/mapper directory. Format the encrypted device --------------------------- You can format your encrypted device with any file system format. I will use ext3. mkfs.ext3 /dev/mapper/encrypted Mount the encrypted device -------------------------- You can use any mount point for your encrypted device. I will use /mnt/encrypted mkdir /mnt/encrypted mount /dev/mapper/encrypted /mnt/encrypted Unmount and close the encrypted device --------------------------------------- umount /mnt/encrypted cryptsetup luksClose encrypted NOTE: Make sure the "encrypted" device in the /dev/mapper directory is gone. Automate the backups -------------------- Save the script below in /root/bin/backup.sh and schedule a daily cron job. Set the proper permissions and ownership to the script chown -R root:root /root/bin chmod 700 /root/bin chmod 700 /root/bin/backup.sh chattr +i /root/bin/backup.sh NOTE: If you don't want to have the password embedded in the script, then you will have to run the backups manually and type the password. IMPORTANT: Make sure someone else knows the password in case you die. #!/bin/bash ECHO=/bin/echo; CRYPTSETUP=/sbin/cryptsetup; DEV=/dev/vgroot/lvtgtd; MOUNT=/bin/mount; UMOUNT=/bin/umount; RSYNC=/usr/bin/rsync; SYNC=/bin/sync; DATE=/bin/date; function lastBackup() { typeset -i lastBackup=$($DATE +"%u")-1; [ $lastBackup -eq 0 ] && lastBackup=7; $ECHO $lastBackup; } # Open the encrypted device $ECHO 'Mt9%I?!RnXE1_lL9O41j' | $CRYPTSETUP luksOpen $DEV encrypted; # Mount the encrypted device $MOUNT /dev/mapper/encrypted /mnt/encrypted; # Backup $RSYNC --archive \ --partial \ --delete \ --delete-excluded \ --exclude=*~ \ --exclude=/dev \ --exclude=/media \ --exclude=/misc \ --exclude=/mnt \ --exclude=/proc \ --exclude=/sys \ --exclude=/tmp \ --exclude=/var/cache \ --exclude=/var/spool \ --exclude=/vat/tmp \ --link-dest=../$(lastBackup) \ / \ /mnt/encrypted/$($DATE +"%u"); # Sync before unmouting $SYNC; # Unmount the encrypted device $UMOUNT /mnt/encrypted; # Remove the encrypted device $CRYPTSETUP luksClose encrypted; Rodolfo Martínez Socio director Aleux Mexico www.aleux.com On Thu, Feb 11, 2010 at 5:24 PM, James Gray <[email protected]> wrote: > Hi All, > > I've googled this one for a while and can't find any examples of people doing > *system* file sync with rsync. So I thought I'd throw it out to the > collective wisdom of SLUG. Here's the full story. > > We have a SuSE-based production application/DB server pair and a > corresponding pair in a disaster recovery location (offsite, bandwidth > consumption needs to be minimised). We need to sync a number of files > between these servers and some require elevated (root) privileges at *both* > ends. Here lies the problem; we don't allow remote root logins (via SSH or > any other method either...sudo, console or nadda). > > I want to use rsync because of it's ability to transfer > differential/incremental changes and thus bandwidth friendly, however any > other tool would be fine too. However, due to the inability for root to > login directly, how the heck do I synchronise particular files in privileged > locations (like /etc/shadow)? I can start whatever services I need at either > end (like an rsync server) but the main thing is all files maintain the same > owner/group/mode at each end. > > Ideas? > > Thanks in advance, > > James > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
