From owner-freebsd-questions@FreeBSD.ORG Fri Apr 4 19:40:57 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E99261065670 for ; Fri, 4 Apr 2008 19:40:57 +0000 (UTC) (envelope-from david.robillard@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.176]) by mx1.freebsd.org (Postfix) with ESMTP id 9B2B58FC23 for ; Fri, 4 Apr 2008 19:40:57 +0000 (UTC) (envelope-from david.robillard@gmail.com) Received: by el-out-1112.google.com with SMTP id v27so181744ele.12 for ; Fri, 04 Apr 2008 12:40:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; bh=hcO9FGbfvWFBYaiyMDVptVROQKD6yaAnYNha32TsuPQ=; b=SYQ909XHI6ShdDkYh+sVAtCCC1Tvq+HN5k68QA2NVGe3RTQN5CbgvQOgCj1Dfst5sFCSvOi5DuePVjSgqfhe0StANgYoLyoVI5OmfxAuw+oBuTfXfdM7BabJRXOTfQZLKL3dBrl7weCr8kvqNYxhjiKcAR1kZ81cYgDGRA7k01w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=C74K5GZrqmsYbxFYBijoipVEOJmsKM3SlBGhOQJJOp0wRDbqjPtCHEFbzZPG3Y8iq1mYW9+jpK0I73ukf7F2UExfgeWjaP/sFw6OxMEMC9/hXRyU5EVkRSjOXQ9kmXw+tcSkF0Cb4gtFgQvtXXUskQgPuddRZK/lCdypHnNSxII= Received: by 10.140.165.21 with SMTP id n21mr795210rve.257.1207338055851; Fri, 04 Apr 2008 12:40:55 -0700 (PDT) Received: by 10.140.192.18 with HTTP; Fri, 4 Apr 2008 12:40:55 -0700 (PDT) Message-ID: <226ae0c60804041240g745787b6kf3eef610d0f6bffe@mail.gmail.com> Date: Fri, 4 Apr 2008 15:40:55 -0400 From: "David Robillard" To: "Paul Schmehl" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: FreeBSD Questions Subject: Re: Remote backups using ssh and dump X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2008 19:40:58 -0000 > Has anyone done this? > > I'm presently using rsync over ssh, but I think dump would be better if it will > work. I've been reading the man page, but I'm wondering if anyone is doing > this successfully and would like to share their cmdline. Hi Paul, We're not using dump over ssh but I was curious to know why you'd prefer dump over rsync? We're using rsync and it's been good to us. So, I'd like to share with you our backup strategy. Just in case it can help you or anyone running various UNIX flavors. We use FreeBSD, RedHat Enterprise Linux, Ubuntu Linux and IBM AIX in this setup. This is a disk to disk to tape scenario. All clients are configured with a user called "backup" with a UID of zero (so that he can read everything). It's shell is set to rssh which in turn is configured to allow rsync only to the backup user. We limit who can connect to each clients via sshd_conf's AllowUsers config. Each client has the central backup server's special ssh key file installed in ~backup/.ssh/authorized_keys edited to have from="backup.domain.com", in it to restrict which machine can use this key. The central FreeBSD backup server has ssh access to every clients and has rsnapshot installed. We have an rsnapshot configuration for each client. Each backup run is scheduled via the server's crontab. Backup data is stored on the server's encrypted backup volume. The nice thing about rsnapshot is that it uses efficient links to save disk space. In the first run of a new client it takes the entire data set. But each subsequent run only takes the changes. But the backup data is kept online so you can actually browse it live and use scp/tar/rsync to perform a restore. Be it a single file or the entire file system. Using rsnapshot enables us to save a week's worth of data of all our 100+ machines without using more than 300Gb of disk space on the backup server (lots of machines, but not much data, we're quite lucky :) Each day, the backup data is passed with dd into OpenPGP before being sent to tape with tar. This way our tapes are encrypted and impossible to read without the appropriate password. That password is kept on an encrypted file. We can therefore send our tapes off site with any company knowing our data is safe. All the admins keep a detailed howto and the important encrypted password files on a USB stick in case the data center fails and we loose our wiki and the file server. If anyone is interested in the exact configuration of this backup setup, we have it all in a wiki, so it's easy to share it. Hope that can help anyone, Cheers, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122