Step 3: Edit The Public Key On server1.example.com
Log in as root on server1.example.com and have a look at /root/.ssh/authorized_keys. It should look similar to this:
ssh-rsa AAAAB3Nza[...]W1go9M= rdiff-backup@backup |
Now prepend the following string to /root/.ssh/authorized_keys:
command="rdiff-backup --server --restrict-read-only /",from="backup.example.com",no-port-forwarding,no-X11-forwarding,no-pty
It must be in one line(!) with the key, only seperated by a space:
command="rdiff-backup --server --restrict-read-only /",from="backup.example.com",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3Nza[...]W1go9M= rdiff-backup@backup |
This will run the command rdiff-backup --server --restrict-read-only / when the user rdiff-backup fom backup.example.com connects to server1.example.com over SSH. --restrict-read-only / makes sure that rdiff-backup has only read access on server1.example.com. It depends on your rdiff-backup version if this works. If this does not work for you you can leave out --restrict-read-only / so that it reads
command="rdiff-backup --server",from="backup.example.com",no-port-forwarding,no-X11-forwarding,no-pty
In from="backup.example.com" you should use the hostname that a reverse lookup of backup.example.com's IP address returns. For example, if backup.example.com's IP address is 1.2.3.4, and
dig -x 1.2.3.4
returns
rdiff-backup@backup:~$ dig -x 1.2.3.4 ; <> DiG 9.2.4 <> -x 1.2.3.4 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38020 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;4.3.2.1.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 43200 IN PTR server3245.somehoster.com. ;; Query time: 118 msec ;; SERVER: 145.253.2.75#53(145.253.2.75) ;; WHEN: Thu Oct 13 14:56:03 2005 ;; MSG SIZE rcvd: 83 rdiff-backup@backup:~$ |
then you should use server3245.somehoster.com:
command="rdiff-backup --server --restrict-read-only /",from="server3245.somehoster.com",no-port-forwarding,no-X11-forwarding,no-pty
You can as well use backup.example.com's IP address:
command="rdiff-backup --server --restrict-read-only /",from="1.2.3.4",no-port-forwarding,no-X11-forwarding,no-pty
Next run
chmod -R go-rwx /root/.ssh
Then have a look at /etc/ssh/sshd_config. It should contain the lines
RSAAuthentication yes PubkeyAuthentication yes |
Restart ssh if you had to change /etc/ssh/sshd_config:
/etc/init.d/ssh restart
Step 4: Test rdiff-backup On backup.example.com
Back on backup.example.com, again as the user rdiff-backup, we test the backup:
cd /backup
rdiff-backup server1_backup::/boot boot
In the second command you see the string server1_backup. That is the string we used in /backup/.ssh/config after host. With this second command, the user rdiff-backup will connect to server1.example.com as the root user and save the directory /boot of server1.example.com to the directory /backup/boot on backup.example.com. If you see that it is working and you do not have to type in a password, then - congratulations! You did it!
Now all there is left to do is to create a cron job. Still as user rdiff-backup, run
crontab -e
and create a cron job like this:
40 2 * * * /usr/bin/rdiff-backup --exclude /tmp --exclude /mnt --exclude /proc --exclude /dev --exclude /cdrom --exclude /floppy server1_backup::/ /backup/server1
This runs the backup every night at 2.40h, saving the directory / with all subdirectories (excluding /tmp, /mnt, /proc, /dev, /cdrom, /floppy) of server1.example.com in /backup/server1 on backup.example.com.
(Note (a little off-topic): on Debian Sarge crontab -e will automatically open the editor nano. If you are used to working with the editor vi (like me), run the following commands:
rm -f /etc/alternatives/editor
ln -s /usr/bin/vi /etc/alternatives/editor
Afterwards, run crontab -e, and vi will come up.)
To find out more rdiff-backup commands (especially how to restore a backup), run
man rdiff-backup
and have a look at http://www.nongnu.org/rdiff-backup/examples.html.
Links
rdiff-backup Homepage: http://www.nongnu.org/rdiff-backup/index.html
rdiff-backup Examples: http://www.nongnu.org/rdiff-backup/examples.html