After my guide on setting up Rdiff-Backup to PULL backups from another server, I setup Two-factor SSH and Virtualmin Authentication via Google-Authenticator – having set this up I did not want to allow Public Key login to my server. So I had to move over to PUSH backups
To Setup Rdiff-Backup to push a server backup to the backup server follow this guide:
1. Lets start with installing rdiff-backup on the backup server and then host-server (server to be backed up to the backup server) – make sure you get the same version installed on both servers:
yum install rdiff-backup
2. On the backup server, create a new account (Using Webmin) which will be used to perform the backup:
No Login Allowed
3. Create a passphrase-free ssh key on host server that will be placed on the backup server so that the host server can log in to the backup server and write the files to the backup location automatically: (This is the other way around from what we do on the PULL backup setup)
So on the host server:
Change to a user you would like to create the Public key for, this could be root or another user.
su -m rdiff-backup
ssh-keygen -t rsa
Generating public/private rsa key pair. Enter file in which to save the key (/rdiff-backup/.ssh/id_rsa): /backup/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /backup/.ssh/id_rsa. Your public key has been saved in /backup/.ssh/id_rsa.pub. The key fingerprint is: e0:fc:4a:8a:51:a8:c7:3a:e4:3a:3c:22:f9:4e:35:ca [email protected]
Your key fingerprint will almost certainly differ from the example here.
For the root user, Create an ssh config alias which defines how the host server to contact the backup server with the public key. Place the following into /root/.ssh/config: this has to be the root user, as we need to run the backup as the root user to be able to access
Paste this into the file and insert your settings where needed:
host example_backup hostname xxx.xxx.xxx.xxx port xx user rdiff-backup identityfile /home/rdiff-backup/.ssh/id_rsa compression yes protocol 2
## host = your name for the host server
## hostname = the hostname or IP of the host server
## port = your SSH port
## user = the user on the backup server that you will backup to
## identityfile = the public key you generated in the previous step
Note that “compression yes” is optional, and you may wish to omit it the servers are connected over high-speed nets.
This config entry enables the host server to use the “hostname”
example-backup wherever ssh expects a real hostname. ssh will use the information specified in the config file, which will result in a automatic connection to the backup server, using the specified key
You may need to make some file permission adjustments, it depends on your system:
chmod -R go-rwx /root/.ssh
4. Give permission for the host server to access the backup server and store the backup:
You need the public portion of the key you just generated on the host server :
You should see a really long key that starts with something like this – with example.com being your host servers hostname.
ssh-rsa AAAAB3NzaC1yc2EAAAAB[...] [email protected]
Assuming that [email protected]backup server`s home directory is
/home/rdiff-backup, we will construct a terribly long line in the file
/home/rdiff-backup/.ssh/authorized_keys2 (on the backup server). The line is so long that I’m going to break it in two here for demonstration purposes only, you must join this first line and the public key from above on one line, with only a space between them:
Now on the backup server:
We will no paste the really long line in there – but we are splitting in up into two to make it easier to do-
so the firs part is the command that is allowed – with xxx.xxx.xxx.xxx being ether your host servers hostname or IP
now place a space after the no-pty
then the second part is the long ssh-rsa we got from – cat /home/rdiff-backup/.ssh/id_rsa.pub in the previous step
ssh-rsa AAAAB3NzaC1yc2EAAAAB[...] [email protected]
so your final line should look something like this:
command="rdiff-backup --server --restrict-read-only /",from="xxx.xxx.xxx.xxx",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQBFRCWgRVs0BhZ2FPxUgRsuWgSSLV7dD+7Db8uV5PRZxAUWWmO8Wbqh0C1daMT86D3BbBwtbC9Clxr7XgalHoL8v65qgl0TZBecGdFWC4Zt+s2YmkUmVcPv/idfnRCHgIhoUKsadsadzzHWef6p7MMCfCp/z7/34357fiwbQ0RCcWnQMORO/dgMJ5LSsXKCOPzsbTt1/i8NulTUNCjlVb4LsCGFX1wscRbXNT4Y6fKMURK0y3kvZ7s888+6utjPnLjVeR7FNL3NtAZyhvbZe6mDFf9G6Usef+4bCgpNBG2Ff2JPbpv0KW+S/Q2jIPhmhJFXs7IYwhPRSoJNUefjdBpvF7xRs/w== [email protected]
This entry in
/home/rdiff-backup/.ssh/authorized_keys2 permits anyone with the specified key (i.e. [email protected] (example.com = host servers hostname) to connect with ssh from the host named xxx.xxx.xxx.xxx (host servers hostname or IP) and issue the forced rdiff-backup command. It further restricts the ssh connection to eliminate port forwarding, X11 forwarding and a pty.
If you have any troubles, this step is the one which has most likely caused you problems. Here are some troubleshooting guidelines:
- Make sure there are no line breaks in the authorized_keys2 entry.
- Use the reverse DNS response for host servers address in
- Make sure you copied the public key properly.
- Ensure file permissions are set properly:
To set the permissions run this command on the host server
chmod -R go-rwx /home/rdiff-backup/.ssh
- Make sure rdiff-backup is in root’s PATH, or add a full path to
- Look in
5. Perform a test backup and populate known_hosts.
You should now be able to perform a test backup. During this test ssh will probably ask you to accept the backup servers host key — you will need to complete this step before you can begin an unattended backup.
On the host server as the root user:
rdiff-backup--print-statistics /tmp example_backup::/home/rdiff-backup/test/
If you are asked for a password or passphrase then something is wrong. Other than asking you to verify the host key it should succeed in performing a backup of /tmp to example_backup
Assuming the first attempt asked you to verify the host key, run the test a second time to verify that it asks you nothing.
6. To include and exclude files and folders in the backup process.
We will create a file list that can both include and exclude files and folders on the host server to be backed up to the backup server. Its best to place this file in a folder in the rdiff-backup users home directory.
On the host server:
Create a file called filelist.txt
##To exclude files/folders we have to place a “-” in front of the file/folder.
##To include files/folders we simply place the file/folders name in the list.
## For more examples see : http://rdiff-backup.nongnu.org/examples.html
So lets place something like this into to file:
- /tmp - /mnt - /proc - /var/tmp - /var/cache - /home/rdiff-backup - /home/vdomains
## I exclude some of the normal directories but also the directory where other server backups are stored on the host server (/home/rdiff-backup) as as well as the home of my Virtualmin Domains, as I back this up using the Virtualmin backup feature as to also backup the Databases!
7. Create a cron job on the host server to initiate your backup – use webmin.
rdiff-backup --include-globbing-filelist /home/rdiff-backup/config/filelist.txt / example_backup::/home/rdiff-backup/example.com
Pick a time – once a day or week or what ever you want!