27 AprRemote backups with rsnapshot

I’ve previously used rdiff-backup to do remote backups of my Debian servers, but for whatever reason they tend to fail and I don’t learn about the problem soon enough and I needed a new solution. Enter: rsnapshot.

Install rsnapshot on both the remote machine and the backup server:

apt-get install rsnapshot

Save yourself a copy of the default config file if you ever need it:

cp /etc/rsnapshot.conf /etc/rsnapshot.conf.default

On the backup server I create an rsnapshot user:

groupadd -g 3500 rsnapshot
useradd -u 3500 -s /bin/false -d /home/rsnapshot -m -c "rsnapshot" -g rsnapshot rsnapshot

Then prepare the backup server to be able to automatically access the production server using ssh keys:

cd /home/rsnapshot
su -m rsnapshot

With the previous command you become the user rsnapshot on the shell. You could confirm this with:

whoami

The next few commands must be run as user rsnapshot!

Create the keys:

ssh-keygen -t rsa

Hit enter on all prompts. It is important that you do not enter a passphrase otherwise the backup will not work without human interaction, so again hit enter. In the end two files are created: /home/rsnapshot/.ssh/id_rsa and /home/rsnapshot/.ssh/id_rsa.pub.

Now copy over the public key you just created to your production server:

ssh-copy-id -i /home/rsnapshot/.ssh/id_rsa.pub root@yourdomainname.example.com

If your production server to be backed up happens to run Ubuntu, as one of mine did, then you should login to the production server and then do away with it’s silly refusal to have a password for root with:

sudo passwd root

and then you’ll have no trouble with the prior step which copies the public key of the user rsnapshot to the file /root/.ssh/authorized_keys on the production server yourdomainname.example.com.

You can confirm that this worked with:

ssh root@yourdomainname.example.com

That should have logged you in as root on your production server without requiring you to enter a password. Now, on the one hand, this is exactly what we were trying to do, but on the other hand, we don’t want to leave it like this or anyone who gets access to the rsnapshot user on your backup server could be root on your production server. Not good. So next we fix that by taking a look at /root/.ssh/authorized_keys. It should look similar to this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA[...]/zkctw== rsnapshot@backupservername

Now prepend from="1.2.3.4",command="/root/validate-rsync" just before “ssh-rsa” separated only by a single space, all on a single line like so:

from="1.2.3.4",command="/root/validate-rsync" ssh-rsa AAAAB[...]/zkctw== rsnapshot@backupservername

where “1.2.3.4″ is your backup server’s numeric IP address. This change means that user rsnapshot can only login from your backup server’s IP address and can only run a single command, “validate-rsync”. We must now create the file /root/validate-rsync with the following content:

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
*\|*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac

Special thanks to Troy Johnson for this script. Now make the script executable:

chmod u+x validate-rsync

You should now be setup on the production server and can logout and go back to your rsnapshot user on the backup server. Become root on the backup server so you can edit the rsnapshot configuration file, /etc/rsnapshot.conf which you can learn more about at this rsnapshot HOWTO. The main thing to know about this config file is that everything that looks like a space probably should be a TAB instead.

#I suggest the following changes:
snapshot_root /home/rsnapshot/.snapshots/
logfile       /home/rsnapshot/rsnapshot.log # user rsnapshot can't write to /var
lockfile      /home/rsnapshot/rsnapshot.pid # user rsnapshot can't write to /var
ssh_args      -o BatchMode=yes

#Uncomment the following:
cmd_cp        /bin/cp
cmd_ssh       /usr/bin/ssh
cmd_du        /usr/bin/du
interval      monthly 3

#Choose some directories to exclude:
exclude       /home/user/JunkThatIDontWant
exclude       /cdrom
exclude       /proc
exclude       /sys
exclude       /tmp

#And choose some directories to backup:
backup        root@yourdomainname.example.com:/home/user/ yourdomainname.example.com/
backup        root@yourdomainname.example.com:/etc yourdomainname.example.com/
backup        root@yourdomainname.example.com:/var yourdomainname.example.com/
backup        root@yourdomainname.example.com:/usr/local yourdomainname.example.com/

Now you probably put some spaces where there were supposed to be tabs, so check your config file's syntax with this test:

rsnapshot configtest

Once it comes back with "Syntax OK" you are ready to try your first hourly snapshot. Become the rsnapshot user and give it a try with:

cd /home/rsnapshot
su -m rsnapshot
rsnapshot -V hourly

This will give verbose output so you can see that something is really happening. Once you get an hourly snapshot or two to complete successfully, you should automate this with cron. As the rsnapshot user, type:

crontab -e

and choose your schedule, something like:

0 */4 * * * /usr/bin/rsnapshot hourly
50 2 * * * /usr/bin/rsnapshot daily
40 2 * * 6 /usr/bin/rsnapshot weekly
30 2 1 * * /usr/bin/rsnapshot monthly

which would do 6 hourly backups a day (once every 4 hours, at 0,4,8,12,16,20)
1 daily backup every day, at 2:50AM
1 weekly backup every week, at 2:40AM, on Saturdays (6th day of week)
1 monthly backup every month, at 2:30AM on the 1st day of the month.

And there you have it! You have automated remote backups of your production server using rsnapshot.

2 Responses to “Remote backups with rsnapshot”

  1. Patrick says:

    When i run su -m rsnapshot, it asks me for the password and no password works. What am I doing wrong ?

  2. Patrick says:

    I found out why. I have to add “sudo” before.