On 23 May 2017, at 15:53, Chris Ferebee wrote:
Hi all,
znapzend is wonderful for snapshots and backups.
However, for backups of internet-facing zones, I would prefer a "pull"
rather than "push" configuration, such that the backup host initiates
the connection to the live host, rather than the other way around.
That way, the backup host can sit securely behind a NAT firewall, and
the live host doesn’t need to have ssh keys etc. giving access to
the backup host.
This just seems more secure on general principles considering
ransomware and other threats.
Yes, pulling from an internet-facing zone makes sense. As well as
keeping ssh keys off the internet-facing zone,
your backup host can be totally isolated from incoming internet
connections.
I don’t see how to implement something along these lines easily with
znapzend. Is there an alternative that would support this type of
configuration?
I don't use znapzend myself, but see from http://www.znapzend.org/ that
it uses zfs send/receive. One thing
I do locally (i.e. in house, off the internet) with zfs send/receive is:
1) use 'zfs send' to output to local disk file - this is initiated by
cron on that host/zone
2) rsync in 'pull mode' from another host/zone to retrieve the file - I
delete the source file as part of that,
to keep things tidy there
3) perform 'zfs receive' using that file
You may wish to add some checksumming to that, particularly where there
can be a significant delay between
snapshot creation and retrieval.
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
