From Sudo Room
Jump to navigation Jump to search

Backup happens from all sudomesh servers to every 24 hours. The backup system uses duplicity over rsync. The backups are incremental and encrypted.

Client setup

Clients have this script in /etc/cron.daily:



and the db_dump script looks like:


/usr/bin/mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --all-databases > /var/databases/all_mysql_databases.sql

and the secure_backup script looks like:


PASSPHRASE="the_duplicity_passphrase" /usr/bin/duplicity --exclude-other-filesystems / rsync://

WARNING: Make sure the secure_backup file is only readable by root!

Key-based login has been set up for logging into by first creating the user clientuser on with a long random password, and then using ssh-copy-id from the client.

The passphrase is long and randomly generated and is also stored in multiple secure offline locations.

Server setup

The server has a user called clientuser which is set up to allow key-based login with the client server's public ssh key.

The home directory of clientuser looks like:

root@backup:/home/clientuser# ls -l
total 12
drwxr-x--- 2 clientuser clientuser 12288 Oct 13 01:49 backup

The server has the cronjob /etc/cron.daily/backup_permissions:


# This script prevents backups from being deleted
# by the user that created them.

/bin/chmod 640 /home/clientuser/backup/*
/bin/chown root.clientuser /home/clientuser/backup/*