I’ve previously used rdiff-backup to do remote backups of my Debian servers, but for whatever reason they tend to fail and I don’t learn about the problem soon enough and I needed a new solution. Enter: rsnapshot.
Install rsnapshot on both the remote machine and the backup server:
apt-get install rsnapshot
Save yourself a copy of the default config file if you ever need it:
cp /etc/rsnapshot.conf /etc/rsnapshot.conf.default
On the backup server I create an rsnapshot user:
groupadd -g 3500 rsnapshot
useradd -u 3500 -s /bin/false -d /home/rsnapshot -m -c "rsnapshot" -g rsnapshot rsnapshot
Then prepare the backup server to be able to automatically access the production server using ssh keys:
su -m rsnapshot
With the previous command you become the user rsnapshot on the shell. You could confirm this with:
The next few commands must be run as user rsnapshot!
Create the keys:
ssh-keygen -t rsa
Hit enter on all prompts. It is important that you do not enter a passphrase otherwise the backup will not work without human interaction, so again hit enter. In the end two files are created: /home/rsnapshot/.ssh/id_rsa and /home/rsnapshot/.ssh/id_rsa.pub.
Now copy over the public key you just created to your production server:
ssh-copy-id -i /home/rsnapshot/.ssh/id_rsa.pub firstname.lastname@example.org
If your production server to be backed up happens to run Ubuntu, as one of mine did, then you should login to the production server and then do away with it’s silly refusal to have a password for root with:
sudo passwd root
and then you’ll have no trouble with the prior step which copies the public key of the user rsnapshot to the file /root/.ssh/authorized_keys on the production server yourdomainname.example.com.
You can confirm that this worked with:
That should have logged you in as root on your production server without requiring you to enter a password. Now, on the one hand, this is exactly what we were trying to do, but on the other hand, we don’t want to leave it like this or anyone who gets access to the rsnapshot user on your backup server could be root on your production server. Not good. So next we fix that by taking a look at /root/.ssh/authorized_keys. It should look similar to this:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA[...]/zkctw== rsnapshot@backupservername
from="18.104.22.168",command="/root/validate-rsync" just before “ssh-rsa” separated only by a single space, all on a single line like so:
from="22.214.171.124",command="/root/validate-rsync" ssh-rsa AAAAB[...]/zkctw== rsnapshot@backupservername
where “126.96.36.199” is your backup server’s numeric IP address. This change means that user rsnapshot can only login from your backup server’s IP address and can only run a single command, “validate-rsync”. We must now create the file /root/validate-rsync with the following content:
case "$SSH_ORIGINAL_COMMAND" in
*\<*) echo "Rejected" ;; *\`*) echo "Rejected" ;; *\|*) echo "Rejected" ;; rsync\ --server*) $SSH_ORIGINAL_COMMAND ;; *) echo "Rejected" ;; esac
Special thanks to Troy Johnson for this script. Now make the script executable:
chmod u+x validate-rsync
You should now be setup on the production server and can logout and go back to your rsnapshot user on the backup server. Become root on the backup server so you can edit the rsnapshot configuration file, /etc/rsnapshot.conf which you can learn more about at this rsnapshot HOWTO. The main thing to know about this config file is that everything that looks like a space probably should be a TAB instead.
#I suggest the following changes: snapshot_root /home/rsnapshot/.snapshots/ logfile /home/rsnapshot/rsnapshot.log # user rsnapshot can't write to /var lockfile /home/rsnapshot/rsnapshot.pid # user rsnapshot can't write to /var ssh_args -o BatchMode=yes #Uncomment the following: cmd_cp /bin/cp cmd_ssh /usr/bin/ssh cmd_du /usr/bin/du interval monthly 3 #Choose some directories to exclude: exclude /home/user/JunkThatIDontWant exclude /cdrom exclude /proc exclude /sys exclude /tmp #And choose some directories to backup: backup email@example.com:/home/user/ yourdomainname.example.com/ backup firstname.lastname@example.org:/etc yourdomainname.example.com/ backup email@example.com:/var yourdomainname.example.com/ backup firstname.lastname@example.org:/usr/local yourdomainname.example.com/
Now you probably put some spaces where there were supposed to be tabs, so check your config file's syntax with this test:
Once it comes back with "Syntax OK" you are ready to try your first hourly snapshot. Become the rsnapshot user and give it a try with:
su -m rsnapshot
rsnapshot -V hourly
This will give verbose output so you can see that something is really happening. Once you get an hourly snapshot or two to complete successfully, you should automate this with cron. As the rsnapshot user, type:
and choose your schedule, something like:
0 */4 * * * /usr/bin/rsnapshot hourly 50 2 * * * /usr/bin/rsnapshot daily 40 2 * * 6 /usr/bin/rsnapshot weekly 30 2 1 * * /usr/bin/rsnapshot monthly
which would do 6 hourly backups a day (once every 4 hours, at 0,4,8,12,16,20)
1 daily backup every day, at 2:50AM
1 weekly backup every week, at 2:40AM, on Saturdays (6th day of week)
1 monthly backup every month, at 2:30AM on the 1st day of the month.
And there you have it! You have automated remote backups of your production server using rsnapshot.