Backup » Historique » Version 20
« Précédent -
Version 20/24
(diff) -
Suivant » -
Version actuelle
Nicolas BERTRAND, 11/01/2017 16:31
Backup¶
Liens¶
- Backup_infra
- Apt_Backports_TTNN borg debian packaging
- https://www.reddit.com/r/linux/comments/42feqz/i_asked_here_for_the_optimal_backup_solution_and/
BackupPC¶
Attic¶
- https://attic-backup.org/
- https://lists.tetaneutral.net/pipermail/technique/2015-September/001971.html
- Logiciel de backup : choix de attic
Borg¶
- https://github.com/borgbackup
- http://readthedocs.org/projects/borgbackup/
- http://puppet.tetaneutral.net/pool/main/b/borgbackup/
- http://puppet.tetaneutral.net/dists/
- https://github.com/witten/borgmatic
h2. Borg script
Note 20160428 : le script est probablement inutile cf https://github.com/borgbackup/borg/issues/994
Pour une machine qui va etre eteinte et rallumée de maniere non controlable.
Creation initiale avec un user normal capable de ssh sur MACHINE:PORT :
borg init --encryption keyfile ssh://USER@MACHINE:PORT/some/where/borg/NICK-repoOn A 2 types d'encryption keyfile et repokey
- en keyfile: la clef est stockée 'localement' est doit aussi être backupé. mode "passphrase + key"
- repokey : la clef est stocké dans le repo only: mode "passphrase only"
11.1026 < guerby> [09:39:25] zorun, tu as une ref dans la doc ? ce que j'ai trouvé http://borgbackup.readthedocs.io/en/stable/quickstart.html#encrypted-repos 11.1026 < guerby> [09:39:38] "so you still have the key in case it gets corrupted or lost. Also keep your passphrase at a safe place." 11.1026 < zorun> [09:50:10] guerby: cherche « repokey » dans https://borgbackup.readthedocs.io/en/stable/usage.html 11.1026 < zorun> [09:50:19] # Local repository (default is to use encryption in repokey mode) 11.1026 < zorun> [09:50:27] If you want “passphrase-only” security, use the repokey mode. The key will be stored inside the repository (in its “config” file). In above mentioned attack scenario, the attacker will have the key (but not the passphrase). 11.1026 < zorun> [09:50:43] If you want “passphrase and having-the-key” security, use the keyfile mode. The key will be stored in your home directory (in .config/borg/keys). In the attack scenario, the attacker who has just access to your repo won’t have the key (and also not the passphrase). 11.1026 < taziden> [09:51:21] et la méthode par défaut, c'est repokey
Et setup cron + script :
# crontab -l @reboot /root/cron-borg.sh # cat /root/cron-borg.sh #!/bin/bash export LANG=en_US.UTF-8 mkdir -p /root/borg >& /dev/null sleep 300 echo === start === $(date) >> /root/borg/cron.log NICK=myhost REPO=ssh://USER@MACHINE:PORT/some/where/borg/${NICK}-repo export BORG_PASSPHRASE=lalalala if [ -f /root/borg/stamp ]; then STAMP=$(cat /root/borg/stamp) borg break-lock $REPO else STAMP=$(date '+%Y%m%dT%H%M%S') if [ -f /root/borg/previous-stamp ]; then PREVIOUS_STAMP=$(cat /root/borg/previous-stamp) while [ "${STAMP%T*}" = "${PREVIOUS_STAMP%T*}" ]; do STAMP=$(date '+%Y%m%dT%H%M%S') echo === delay === $(date) >> /root/borg/cron.log sleep 1h done fi echo $STAMP > /root/borg/stamp fi borg create --compression lz4 --stats --verbose \ --exclude /root/borg --exclude '/home/*/.cache' --exclude-caches --one-file-system \ ${REPO}::${NICK}-$STAMP / >> /root/borg/log-$STAMP 2>> /root/borg/err-$STAMP res=$? if [ $res -eq 0 -o $res eq 1 ]; then mv -f /root/borg/stamp /root/borg/previous-stamp >& /dev/null rm -f /root/borg/stamp >& /dev/null fi echo === done === $res === $(date) >> /root/borg/cron.log exec "$0"
Migration Attic vers Borg¶
- https://github.com/borgbackup/borg/pull/231
- old: https://chiliproject.tetaneutral.net/projects/git-tetaneutral-net/repository/puppet-backup
- new: https://chiliproject.tetaneutral.net/projects/git-tetaneutral-net/repository/puppetmaster/revisions/master/entry/modules/ttnn/manifests/backup.pp
- git history BackupPC => Attic => Borg
# apt-get -t jessie-backports install borgbackup $ cd /backup/attic/ $ borg upgrade <repo> $ borg check --repair <repo> $ mv <repo> ../borg/ $ chown -R backupinfra: /backup/borg/<repo>
Dans le module puppet, le changement le plus important est le parametre compression explicite pour correspondre au défaut de attic create :
attic create ... <repo> -> borg create --compression zlib,6 ... <repo>
Sinon le prochain backup sera non compressé, et aucun nouveau chucks ne correspondra aux anciens -> perte de la dedup. "zlib,6" étant le niveau de compression de attic.
https://github.com/jborg/attic/issues/299
http://borgbackup.readthedocs.org/en/stable/usage.html#environment-variables
export ATTIC_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes