Mirror Your Web Site With rsync On Fedora 10 - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Thu, 2009-02-05 12:31. ::

5 Configure server1.example.com

Now log in through SSH on server1.example.com as someuser (not root!)...

server1:

su someuser

... and do this:

server1:

(Please do this as someuser!)

mkdir ~/.ssh
chmod 700 ~/.ssh
mv ~/mirror-rsync-key.pub ~/.ssh/
cd ~/.ssh
touch authorized_keys
chmod 600 authorized_keys
cat mirror-rsync-key.pub >> authorized_keys

By doing this, we have appended the contents of mirror-rsync-key.pub to the file /home/someuser/.ssh/authorized_keys. /home/someuser/.ssh/authorized_keys should look similar to this:

server1:

(Still as someuser!)

vi /home/someuser/.ssh/authorized_keys

ssh-dss AAAAB3NzaC1[...]qqOyXtbUx7HOMEw== root@server2.example.com

Now we want to allow connections only from server2.example.com, and the connecting user should be allowed to use only rsync, so we add

command="/home/someuser/rsync/checkrsync",from="server2.example.com",no-port-forwarding,no-X11-forwarding,no-pty

right at the beginning of /home/someuser/.ssh/authorized_keys:

server1:

(Still as someuser!)

vi /home/someuser/.ssh/authorized_keys

command="/home/someuser/rsync/checkrsync",from="server2.example.com",no-port-forwarding,no-X11-forwarding,no-pty ssh-dss AAAAB3NzaC1[...]qqOyXtbUx7HOMEw== root@server2.example.com

It is important that you use a FQDN like server2.example.com instead of an IP address after from=, otherwise the automated mirroring will not work!

Now we create the script /home/someuser/rsync/checkrsync that rejects all commands except rsync.

server1:

(We still do this as someuser!)

mkdir ~/rsync
vi ~/rsync/checkrsync

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
        *\&*)
                echo "Rejected"
                ;;
        *\(*)
                echo "Rejected"
                ;;
        *\{*)
                echo "Rejected"
                ;;
        *\;*)
                echo "Rejected"
                ;;
        *\<*)
                echo "Rejected"
                ;;
        *\`*)
                echo "Rejected"
                ;;
        rsync\ --server*)
                $SSH_ORIGINAL_COMMAND
                ;;
        *)
                echo "Rejected"
                ;;
esac

chmod 700 ~/rsync/checkrsync

 

6 Test rsync On server2.example.com

Now we must test on server2.example.com if we can mirror server1.example.com without being prompted for someuser's password. We do this:

server2:

(We do this as root!)

rsync -avz --delete --exclude=**/stats --exclude=**/error --exclude=**/files/pictures -e "ssh -i /root/rsync/mirror-rsync-key" someuser@server1.example.com:/var/www/html/ /var/www/html/

(The --delete option means that files that have been deleted on server1.example.com should also be deleted on server2.example.com. The --exclude option means that these files/directories should not be mirrored; e.g. --exclude=**/error means "do not mirror /var/www/html/error". You can use multiple --exclude options. I have listed these options as examples; you can adjust the command to your needs. Have a look at

man rsync

for more information.)

You should now see that the mirroring takes place...

[root@server2 ~]# rsync -avz --delete --exclude=**/stats --exclude=**/error --exclude=**/files/pictures -e "ssh -i /root/rsync/mirror-rsync-key" someuser@server1.example.com:/var/www/html/ /var/www/html/
receiving incremental file list

sent 62 bytes received 48 bytes 73.33 bytes/sec
total size is 20 speedup is 0.18
[root@server2 ~]#

... without being prompted for a password! This is what we wanted.

 

7 Create A Cron Job

We want to automate the mirroring, that is why we create a cron job for it on server2.example.com. Run crontab -e as root:

server2:

(We do this as root!)

crontab -e

and create a cron job like this:

*/5 * * * * /usr/bin/rsync -azq --delete --exclude=**/stats --exclude=**/error --exclude=**/files/pictures -e "ssh -i /root/rsync/mirror-rsync-key" someuser@server1.example.com:/var/www/html/ /var/www/html/

This would run rsync every 5 minutes; adjust it to your needs (see

man 5 crontab

). I use the full path to rsync here (/usr/bin/rsync) just to go sure that cron knows where to find rsync. Your rsync location might differ. Run

server2:

(We do this as root!)

which rsync

to find out where yours is.

 

8 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Senthil (not registered) on Mon, 2012-02-27 14:38.

Hi,

 Its work fine...But its asking password when ever connect to master.Also crontab can't be work by this reason.

 Please  any one help me.

 Thanks

Submitted by joseph (not registered) on Thu, 2011-01-20 23:59.

I found out after several hours of redoing these steps that if you are ssh-ing into any of the computers, ie server1 or server2, you need to ssh into the fqdn to do the key generator and rsync-ing.  Other wise the keys will not match and you will need to put in the someuser's password.

 fyi:

Fedora13, clean install on 6 machines

with: http://www.howtoforge.com/mysql_database_replication

and: http://www.howtoforge.com/high-availability-load-balancer-haproxy-heartbeat-fedora8, but changed to keepalived instead of heartbeat.

Submitted by Nelson (not registered) on Wed, 2010-01-13 11:29.

Hi,

 know that this is not the place, where a person should ask for help, but I found something that probably a few others may find too, and it would be a shame if for a small thing this how-to could not produce the desired results.

Anyway, I found that (in my case) the authorized_keys file does not work as it should. After some trial and error, I discovered that using the parameter ' from="server2.example.com" ' result in the rsync command from server1 asking for the password for 'someuser'. If we take this parameter from the authorized_keys file, the rsync command works like a charm.

 I feel that this may lead to an unsecure system, since it may allow a rsync command from any other host, but since i am not sure, this would be a doubt i have.

 Thanks in advance, Nelson Ribeiro.