Radical Server Unit/3.Treffen: Unterschied zwischen den Versionen

aus Metalab Wiki, dem offenen Zentrum für meta-disziplinäre Magier und technisch-kreative Enthusiasten.
Zur Navigation springenZur Suche springen
(Die Seite wurde neu angelegt: „--- Protokoll für das Radical-Server-Unit Treffen in Wien am 31.05.2016 im Metalab --- 31.5.2016 Vorträge Today: * MacLemon - Backups * redplanet - duplic…“)
 
(Update archive with the other etherpad)
 
Zeile 1: Zeile 1:
--- Protokoll für das Radical-Server-Unit Treffen in Wien am 31.05.2016 im Metalab ---
+
Nächstes Thema: "Selber Housing" - Rechner selbst aufsetzen
 +
 
 +
[[Radical_Server_Unit/Themen|Andere Themen bzw. Themenvorschläge]]
 +
 
 +
= Radical Server Unit - Backups - 2016-05-31 =
 +
Weitere Dinge die Du Dir ansehen kannst:
 +
 
 +
Unix, Linux, BSD, OS X, command line tools, scripts:
 +
* [https://rsync.samba.org/ rsync(1)] - [http://explainshell.com/explain/1/rsync man rsync]
 +
* [http://explainshell.com/explain/1/scp scp(1) - man scp]
 +
* [http://explainshell.com/explain/1/sftp sftp(1) - man sftp]
 +
* [http://explainshell.com/explain/8/dump dump(8)]/[http://explainshell.com/explain/8/restore restore(8)]
 +
* [http://explainshell.com/explain/1/dd dd(1) - man dd]
 +
* [http://www.rsnapshot.org/ rsnapshot]
 +
* [http://www.arkeia.com/index.php/WD_Arkeia_network_backup_Documentation arkeia]
 +
* [http://www.amanda.org/ amanda]
 +
* [http://www.bacula.org/ bacula]
 +
* [http://www.cis.upenn.edu/~bcpierce/unison/ unison]
 +
* [https://duplicity.nongnu.org duplicity]
 +
* [https://github.com/borgbackup borg backup]
 +
* [https://git-annex.branchable.com/ git annex]
 +
* [http://open-zfs.org/wiki/Main_Page ZFS(8) send]
 +
* [https://github.com/bup/bup bup] or. [https://github.com/jborg/attic/ attic]
 +
* '''Another Backup Tool Overview is also available at [https://wiki.archlinux.org/index.php/Synchronization_and_backup_programs archwiki]'''
 +
 
 +
=== borg backup ===
 +
Talk auf der [https://media.ccc.de/v/gpn16-7584-borgbackup Gulaschprogrammiernacht 2016]
 +
 
 +
=== OS X Utilities ===
 +
* '''Build-In''': Time Machine (Kann verschlüsselte Backups anlegen, muß aber angehakt werden.)
 +
* 3rd Party solutions for File Backups
 +
** Arq: https://www.arqbackup.com/ (Verschlüsselte Backups via SFTP, S3, etc.)
 +
** Chronosync: http://www.econtechnologies.com/chronosync/overview.html
 +
** mlbackup (rsync wrapper speziell für OS X) https://maclemon.at/downloads/
 +
* 3rd Party Solutions for full bootable disk clones
 +
** Carbon Copy Cloner: https://bombich.com/ (verschlüsselte, bootfähige Clones)
 +
** SuperDuper: http://www.shirt-pocket.com/SuperDuper/SuperDuperDescription.html
 +
 
 +
=== Android (Rooted) ===
 +
* [https://www.androidpit.de/top-backup-apps-android Titanium Backup]
 +
* rsync/rsync
 +
* [https://www.tolaris.com/2011/06/13/backing-up-your-android-device-with-backuppc/ BackupPC Android-"Client"]
 +
 
 +
=== iOS ===
 +
* iTunes (bei OS X dabei, unbedingt "verschlüsselt" anhaken.
 +
* Nicht zu empfehlen, auch wenns komfortabel ist
 +
** Apple iCloud (Sind IMMER plaintext, können auch nicht verschlüsselt werden)
 +
 
 +
== Duplicity Backups made easy ==
 +
[https://duplicity.nongnu.org Duplicity] Provides encrpted and incremental backups for Linux, *BSD, OSX. Uses librsync, gpg, tar, bzip, sftp,....
 +
 
 +
# First of all we will set up ssh config locally so we can reference our Host for the backups as "backup-host"
 +
# Generate a SSH-Keypair for connecting to the host with ssh-keygen (see man for details)
 +
# Choose between a basic setup or chrooted sftp only users for maximum paranoia.
 +
#* If you want chrooted sftp only users on your sshd add/modify your servers ssh config according to "Server side for CHROOTED USERS"
 +
#* If you do not want changerooted users serverside, skip step 3)
 +
# Pick a Duplicity Command from below based on your requirements. Examples are provided for encryption with either passphrase or GPG Public Key. Make sure you choose your example based on sftp vs normal user on the server.
  
31.5.2016
 
  
Vorträge Today:
 
* MacLemon - Backups
 
* redplanet - duplicity
 
** http://duplicity.nongnu.org/
 
** https://etherpad.funkfeuer.at/p/rsu_backup
 
* albert - borg
 
** http://borgbackup.readthedocs.io/en/stable/
 
* pl - bup
 
  
Nächstes Thema: "Selber Housing" - Rechner selbst aufsetzen
+
=== SSH Client side config ===
 +
 
 +
  Host backup-host
 +
      HostName backup-host.example.com
 +
      Port 22
 +
      User BACKUP-USERNAME
 +
      IdentityFile /home/localuser/.ssh/id_rsa
 +
 
 +
 
 +
=== GPG key for only home (run as user) -non chroot ===
 +
Before first run:
 +
 
 +
  gpg --recv-keys GPG_key
 +
 
 +
 
 +
Run/do Backups
 +
 
 +
  duplicity /home/USERNAME/ \
 +
      --encrypt-key GPG_KEY \
 +
          --full-if-older-than 12M \
 +
          --asynchronous-upload \
 +
          --exclude /home/USERNAME_LOCAL/.cache \
 +
          --exclude /home/USERNAME_LOCAL/Downloads \
 +
          --exclude /home/USERNAME_LOCAL/.wine \
 +
          --exclude /home/USERNAME_LOCAL/.VirtualBox \
 +
          --exclude /home/USERNAME_LOCAL/.gvfs \
 +
          --exclude /home/USERNAME_LOCAL/.kvm \
 +
          sftp://backup-host/home/BACKUP-USERNAME/2015
 +
 
 +
=== Passphrase key for only home (run as user) -non chroot ===
 +
  export PASSPHRASE=_________YOUR_PASSPHRASE_GOES_HERE_____________
 +
  duplicity /home/USERNAME/ \
 +
      --encrypt-key GPG_KEY \
 +
          --full-if-older-than 12M \
 +
          --asynchronous-upload \
 +
          --exclude /home/USERNAME_LOCAL/.cache \
 +
          --exclude /home/USERNAME_LOCAL/Downloads \
 +
          --exclude /home/USERNAME_LOCAL/.wine \
 +
          --exclude /home/USERNAME_LOCAL/.VirtualBox \
 +
          --exclude /home/USERNAME_LOCAL/.gvfs \
 +
          --exclude /home/USERNAME_LOCAL/.kvm \
 +
          sftp://backup-host/home/BACKUP-USERNAME/2015
 +
  unset PASSPHRASE
 +
 
 +
 
 +
=== Server side for CHROOTED USERS ===
 +
add the group sftp_users
 +
 
 +
add to /etc/ssh/sshd_config
 +
 
 +
  AuthorizedKeysFile      /etc/ssh/AUTH-KEYS-USERS/%u
 +
 
 +
  Match group sftp_users
 +
      ChrootDirectory %h
 +
      ForceCommand internal-sftp
 +
      AllowTcpForwarding no
 +
      AllowAgentForwarding no
 +
      PermitTunnel no
 +
      PermitTTY no
 +
      X11Forwarding no
 +
 
 +
 
 +
 
 +
make directory for client public keys in /etc/sshd
 +
 
 +
  mkdir -p /etc/ssh/AUTH-KEYS-USERS/
 +
 
 +
 
 +
add a new user for the sftp only access and add him sftp user group
 +
 
 +
 
 +
  nano /etc/ssh/AUTH-KEYS-USERS/__username___
 +
  chown -R __username___:sftp_users /etc/ssh/AUTH-KEYS-USERS/__username___
 +
  chown root:root /home/__username___
 +
 
 +
 
 +
 
 +
=== Passphrase for only home (run as user) ===
 +
 
 +
 
 +
  export PASSPHRASE=_________YOUR_PASSPHRASE_GOES_HERE_____________
 +
  duplicity /home/USERNAME/ \
 +
          --full-if-older-than 12M \
 +
          --asynchronous-upload \
 +
          --exclude /home/USERNAME_LOCAL/.cache \
 +
          --exclude /home/USERNAME_LOCAL/Downloads \
 +
          --exclude /home/USERNAME_LOCAL/.wine \
 +
          --exclude /home/USERNAME_LOCAL/.VirtualBox \
 +
          --exclude /home/USERNAME_LOCAL/.gvfs \
 +
          --exclude /home/USERNAME_LOCAL/.kvm \
 +
          sftp://backup-host/2016
 +
  unset PASSPHRASE
 +
 
 +
 
 +
=== Passphrase for all files (run as root) ===
 +
 
 +
  export PASSPHRASE=_________YOUR_PASSPHRASE_GOES_HERE_____________
 +
  duplicity / \
 +
          --full-if-older-than 12M \
 +
          --asynchronous-upload \
 +
          --volsize 500 \
 +
          --exclude /dev \
 +
          --exclude /media \
 +
          --exclude /mnt \
 +
          --exclude /proc \
 +
          --exclude /run \
 +
          --exclude /sys \
 +
          --exclude /tmp \
 +
          --exclude /home/USERNAME_LOCAL/.cache \
 +
          --exclude /home/USERNAME_LOCAL/Downloads \
 +
          --exclude /home/USERNAME_LOCAL/.wine \
 +
          --exclude /home/USERNAME_LOCAL/.VirtualBox \
 +
          --exclude /home/USERNAME_LOCAL/.gvfs \
 +
          --exclude /home/USERNAME_LOCAL/.kvm \
 +
          sftp://backup-host/2016
 +
  unset PASSPHRASE
 +
 
 +
 
 +
=== GPG key for only home (run as user) ===
 +
Before first run:
 +
 
 +
  gpg --recv-keys GPG_key
 +
 
 +
 
 +
do backups:
  
https://metalab.at/wiki/Radical_Server_Unit/Themen
+
  duplicity /home/USERNAME/ \
 +
      --encrypt-key GPG_KEY \
 +
          --full-if-older-than 12M \
 +
          --asynchronous-upload \
 +
          --exclude /home/USERNAME_LOCAL/.cache \
 +
          --exclude /home/USERNAME_LOCAL/Downloads \
 +
          --exclude /home/USERNAME_LOCAL/.wine \
 +
          --exclude /home/USERNAME_LOCAL/.VirtualBox \
 +
          --exclude /home/USERNAME_LOCAL/.gvfs \
 +
          --exclude /home/USERNAME_LOCAL/.kvm \
 +
          sftp://backup-host/2016

Aktuelle Version vom 1. Juni 2016, 09:32 Uhr

Nächstes Thema: "Selber Housing" - Rechner selbst aufsetzen

Andere Themen bzw. Themenvorschläge

Radical Server Unit - Backups - 2016-05-31

Weitere Dinge die Du Dir ansehen kannst:

Unix, Linux, BSD, OS X, command line tools, scripts:

borg backup

Talk auf der Gulaschprogrammiernacht 2016

OS X Utilities

Android (Rooted)

iOS

  • iTunes (bei OS X dabei, unbedingt "verschlüsselt" anhaken.
  • Nicht zu empfehlen, auch wenns komfortabel ist
    • Apple iCloud (Sind IMMER plaintext, können auch nicht verschlüsselt werden)

Duplicity Backups made easy

Duplicity Provides encrpted and incremental backups for Linux, *BSD, OSX. Uses librsync, gpg, tar, bzip, sftp,....

  1. First of all we will set up ssh config locally so we can reference our Host for the backups as "backup-host"
  2. Generate a SSH-Keypair for connecting to the host with ssh-keygen (see man for details)
  3. Choose between a basic setup or chrooted sftp only users for maximum paranoia.
    • If you want chrooted sftp only users on your sshd add/modify your servers ssh config according to "Server side for CHROOTED USERS"
    • If you do not want changerooted users serverside, skip step 3)
  4. Pick a Duplicity Command from below based on your requirements. Examples are provided for encryption with either passphrase or GPG Public Key. Make sure you choose your example based on sftp vs normal user on the server.


SSH Client side config

 Host backup-host
     HostName backup-host.example.com
     Port 22
     User BACKUP-USERNAME
     IdentityFile /home/localuser/.ssh/id_rsa


GPG key for only home (run as user) -non chroot

Before first run:

 gpg --recv-keys GPG_key


Run/do Backups

 duplicity /home/USERNAME/ \
     --encrypt-key GPG_KEY \
         --full-if-older-than 12M \
         --asynchronous-upload \
         --exclude /home/USERNAME_LOCAL/.cache \
         --exclude /home/USERNAME_LOCAL/Downloads \
         --exclude /home/USERNAME_LOCAL/.wine \
         --exclude /home/USERNAME_LOCAL/.VirtualBox \
         --exclude /home/USERNAME_LOCAL/.gvfs \
         --exclude /home/USERNAME_LOCAL/.kvm \
         sftp://backup-host/home/BACKUP-USERNAME/2015

Passphrase key for only home (run as user) -non chroot

 export PASSPHRASE=_________YOUR_PASSPHRASE_GOES_HERE_____________
 duplicity /home/USERNAME/ \
     --encrypt-key GPG_KEY \
         --full-if-older-than 12M \
         --asynchronous-upload \
         --exclude /home/USERNAME_LOCAL/.cache \
         --exclude /home/USERNAME_LOCAL/Downloads \
         --exclude /home/USERNAME_LOCAL/.wine \
         --exclude /home/USERNAME_LOCAL/.VirtualBox \
         --exclude /home/USERNAME_LOCAL/.gvfs \
         --exclude /home/USERNAME_LOCAL/.kvm \
         sftp://backup-host/home/BACKUP-USERNAME/2015
 unset PASSPHRASE


Server side for CHROOTED USERS

add the group sftp_users

add to /etc/ssh/sshd_config

 AuthorizedKeysFile      /etc/ssh/AUTH-KEYS-USERS/%u
 Match group sftp_users
     ChrootDirectory %h
     ForceCommand internal-sftp
     AllowTcpForwarding no
     AllowAgentForwarding no
     PermitTunnel no
     PermitTTY no
     X11Forwarding no


make directory for client public keys in /etc/sshd

 mkdir -p /etc/ssh/AUTH-KEYS-USERS/


add a new user for the sftp only access and add him sftp user group


 nano /etc/ssh/AUTH-KEYS-USERS/__username___
 chown -R __username___:sftp_users /etc/ssh/AUTH-KEYS-USERS/__username___
 chown root:root /home/__username___


Passphrase for only home (run as user)

 export PASSPHRASE=_________YOUR_PASSPHRASE_GOES_HERE_____________
 duplicity /home/USERNAME/ \
         --full-if-older-than 12M \
         --asynchronous-upload \
         --exclude /home/USERNAME_LOCAL/.cache \
         --exclude /home/USERNAME_LOCAL/Downloads \
         --exclude /home/USERNAME_LOCAL/.wine \
         --exclude /home/USERNAME_LOCAL/.VirtualBox \
         --exclude /home/USERNAME_LOCAL/.gvfs \
         --exclude /home/USERNAME_LOCAL/.kvm \
         sftp://backup-host/2016
 unset PASSPHRASE


Passphrase for all files (run as root)

 export PASSPHRASE=_________YOUR_PASSPHRASE_GOES_HERE_____________
 duplicity / \
         --full-if-older-than 12M \
         --asynchronous-upload \
         --volsize 500 \
         --exclude /dev \
         --exclude /media \
         --exclude /mnt \
         --exclude /proc \
         --exclude /run \
         --exclude /sys \
         --exclude /tmp \
         --exclude /home/USERNAME_LOCAL/.cache \
         --exclude /home/USERNAME_LOCAL/Downloads \
         --exclude /home/USERNAME_LOCAL/.wine \
         --exclude /home/USERNAME_LOCAL/.VirtualBox \
         --exclude /home/USERNAME_LOCAL/.gvfs \
         --exclude /home/USERNAME_LOCAL/.kvm \
         sftp://backup-host/2016
 unset PASSPHRASE


GPG key for only home (run as user)

Before first run:

 gpg --recv-keys GPG_key


do backups:

 duplicity /home/USERNAME/ \
     --encrypt-key GPG_KEY \
         --full-if-older-than 12M \
         --asynchronous-upload \
         --exclude /home/USERNAME_LOCAL/.cache \
         --exclude /home/USERNAME_LOCAL/Downloads \
         --exclude /home/USERNAME_LOCAL/.wine \
         --exclude /home/USERNAME_LOCAL/.VirtualBox \
         --exclude /home/USERNAME_LOCAL/.gvfs \
         --exclude /home/USERNAME_LOCAL/.kvm \
         sftp://backup-host/2016