Difference between revisions of "Mesh/Backup"

From Sudo Room
Jump to navigation Jump to search
(Created page with "Backup happens from all sudomesh servers to backup.sudomesh.org every 24 hours. The backup system uses duplicity over rsync. The backups are incremental and encrypted. = Clie...")
 
Line 38: Line 38:


<pre>
<pre>
root@backup:/home/ccl# ls -l
root@backup:/home/clientuser# ls -l
total 12
total 12
drwxr-x--- 2 clientuser clientuser 12288 Oct 13 01:49 backup
drwxr-x--- 2 clientuser clientuser 12288 Oct 13 01:49 backup

Revision as of 23:39, 12 October 2013

Backup happens from all sudomesh servers to backup.sudomesh.org every 24 hours. The backup system uses duplicity over rsync. The backups are incremental and encrypted.

Client setup

Clients have this script in /etc/cron.daily:

#!/bin/sh

/root/scripts/db_dump
/root/scripts/secure_backup

and the db_dump script looks like:

#!/bin/sh

/usr/bin/mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --all-databases > /var/databases/all_mysql_databases.sql

and the secure_backup script looks like:

#!/bin/sh

PASSPHRASE="the_duplicity_passphrase" /usr/bin/duplicity --exclude-other-filesystems / rsync://clientuser@backup.sudomesh.org/backup/

Key-based login has been set up for logging into backup.sudomesh.org by first creating the user clientuser on backup.sudomesh.org with a long random password, and then using ssh-copy-id from the client.

The passphrase is long and randomly generated and is also stored in multiple secure offline locations.

Server setup

The server has a user called clientuser which is set up to allow key-based login with the client server's public ssh key.

The home directory of clientuser looks like:

root@backup:/home/clientuser# ls -l
total 12
drwxr-x--- 2 clientuser clientuser 12288 Oct 13 01:49 backup

The server has the cronjob /etc/cron.daily/backup_permissions:

#!/bin/sh

# This script prevents backups from being deleted
# by the user that created them.

/bin/chmod 640 /home/clientuser/backup/*
/bin/chown root.ccl /home/clientuser/backup/*