Skip to content

tedious ramblings

The blog of Robert Hafner

Menu
  • Projects
  • Resume
  • Sponsor
  • Archives
  • About
Menu

Backing Up with Puppet and rsnapshot

Posted on July 30, 2015July 28, 2015 by Robert Hafner

One of my favorite backup tools has always been rsnapshot. It’s based off of rsync and uses a nice trick with hardlinks to maintain incremental updates that are also full updates. It runs using a basic configuration and a series of cron jobs. This is unix as it’s meant to be- extremely light weight while also being very powerful.

I am rather picky with how it is set up though. I don’t like leaving root open over ssh, which means a sudo based solution is needed on the client side. I’m also rather paranoid, which means I like my backup solutions to be read only. I also don’t like all of my machines running off of a single rsnapshot configuration, as this means a failure for the script to run on one means it won’t run on the ones after.

For years I had a set of scripts to handle this, but in the days of configuration management that seems almost silly. To make life easier I’ve put this all in a Puppet module.

There are quite a few features to this module that make it stand out-

  • Client specific options instead of enforced globals. This module uses stand alone configurations for each host. Besides being more resilient to errors, this enables unique client settings- for instance, using different retain settings and backup times for different hosts.
  • Backup Point resource type for true Puppet style backup control. Rather than defining each backup point in the class file, the backup resource allows backups to be defined next to the profiles that need it.

  • Support for SSH without root access. In most cases root login is not available over ssh for security reasons, so this module relies instead on having its own unique user with restricted sudo access to give it the needed access to perform backups.

  • Support for automatic key sharing. The client machine will automatically receive the backup user’s ssh key from the server.

  • Locked down ssh accounts. SSH keys can only by used by the single backup host (locked down automatically by ip address), and is without access to unneeded features like x-forwarding. Commands allowed by the ssh key are limited to specific wrapper scripts installed by this module.

  • Sender only rsync. One of the biggest threats with rsync access is the potential to overwrite existing files on the system to gain unauthorized access. This module uses a wrapper script around rsync on the client side to make it a read only user.

The rsnapshot module is available on the Puppet Forge, and contributions are welcome at Github.

Share this:

  • Click to share on Mastodon (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to print (Opens in new window)
  • More
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Skype (Opens in new window)
  • Click to email a link to a friend (Opens in new window)

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About

Robert Hafner is a Principal Engineer based in Chicago focusing on distributed applications, infrastructure, and security. This blog is a running journal of projects, tutorials, and random ideas that pop into his head.

  • GitHub
  • Mastodon
  • LinkedIn

Popular Posts

  • JShrink reaches over 21,000,000 installs and releases v1.6!
  • Using Github Actions OpenID Connect to push to AWS ECR without Credentials
  • Rob’s Awesome Python Template
  • Getting AWS ECS to work on Ubuntu with Full GPU Support
  • A Walkthrough of PSR-6: Caching
  • Simple Multiprocessing with QuasiQueue
  • Building an Email Testing Environment with Vagrant, Dovecot and Travis-CI
  • Introducing DapperData for Formatting YAML and JSON
  • Multi-Py: Multiplatform Container Images for Python Packages
  • Telling OpenSSH to Pull Keys from Github with AuthorizedKeysCommand

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

©2023 tedious ramblings | Built using WordPress and Responsive Blogily theme by Superb