Sysadm:Backuppc

Backuppc is a web browser based unix backup tool. After a plan to put the backups on rebus failed, BackupPC and its backups are now housed on zippy's raida. Configuration may be slightly different on zippy than below, as below is the record for installation on rebus (done by Libby - the new installation on zippy was done by Mike Colee. Backuppc will be used for CHG desktops and Chg2.

Required Packages

• man
• wget
• httpd
• epel (wget)
• remi (wget)
• perl-Compress-Zlib
• perl-Archive-Zip
• perl-File-RsyncP
• perl-suidperl
• openssh-clients
• expect

• Two special repositories, EPEL and REMI.

[root@server ~]# wget -c http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@server ~]# wget -c http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
[root@server ~]# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

Enable the REMI repository

[root@server ~]# vib /etc/yum.repos.d/remi.repo

Change "enabled" under [remi] to

enabled=1

backuppc prereqs

[root@server ~]# yum -y install perl-Compress-Zlib perl-Archive-Zip perl-File-RsyncP perl-suidperl openssh-clients expect

Now run yum updates and upgrades (See Errors and Troubleshooting below)

[root@server ~]# yum update -y
[root@server ~]# yum upgrade -y

BackupPC User

Make a local backuppc user on the backuppc server. The backuppc account is local and exclusive to [backuppc server].

[root@server ~]# mkdir /localhome/backuppc
[root@server ~]# chown [UID]:[GID] !$

[root@server ~]# useradd -d /var/lib/BackupPC -u 105 -g 105 backuppc
[root@server ~]# passwd backuppc
Changing password for user backuppc.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Edit /etc/passwd

[root@server ~]# backuppc:x:105:105::/var/lib/BackupPC:/sbin/nologin

Edit /sbin/nologin to /bin/bash when you need to use the account to set up a new client.

Notes for servers with Samba/GNIS accounts

Make sure user's entry is placed in the top three lines in /etc/[passwd,group,shadow,gshadow]

Increment the crontab entry on the desginated BackupPC server from 2 to 3 so that the top 3 lines get preserved against updates from the GNIS stuff.

Pre-Install

Check this out for pre-install tweaks.

Install BackupPC

[root@server ~]# yum --enablerepo=epel install backuppc 

Ganked from ERI's wiki.

SELinux voodoo ganked from ERI sysadm wiki

[root@server ~]# for i in httpd_use_nfs rsync_use_nfs httpd_enable_homedirs ; do setsebool -P $i on ; done

Symbolic link to storage area.

[root@server ~]# cp -dpR /var/lib/BackupPC/. /raid/backuppc
[root@server ~]# mv /var/lib/BackupPC /var/lib/BackupPC.orig
[root@server ~]# ln -s /raid/backuppc /var/lib/BackupPC

• This step is only necessary if you want a specific, non-standard storage area. Replace "raid/backuppc" with whatever directory you would like your storage area to be.

Investigating services

[root@server ~]#chkconfig --list backuppc
backuppc       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
[root@server ~]#chkconfig --list httpd
httpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off

Off? To turn them on at startup:

[root@server ~]#chkconfig backuppc on
[root@server ~]#chkconfig httpd on
[root@server ~]#chkconfig --list backuppc
backuppc       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
[root@server ~]#chkconfig --list httpd
httpd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Editing /etc/BackupPC/config.pl

This file contains the defaults for your BackuPC setup. Before you change anything, it would be wise to

[root@server BackupPC]# cp config.pl config.pl-org

just in case something goes pear shaped and you need to start back from square one. It's also a really good idea to use vib so that any time you edit the document, the previous version will be saved (making restoring after a mistake much easier).

Apache Configuration for Web Interface

Prepare Apache for the BackupPC web interface:

[root@server ~]# htpasswd -c /etc/BackupPC/apache.users backuppc
New password:        #Use BackupPC password for ease of use
Re-type new password: 
Adding password for user backuppc

Tweak the BackupPC Apache conf file - use vib to ensure you have a backup of the original.

vib /etc/httpd/conf.d/BackupPC.conf

#Added:
allow from all

#Commented out:
allow from 127.0.0.1
allow from ::1

Make a password/key (we'll use this later):

[root@server ~]# mkpasswd -l 32 -d 16
#Insert long string of letters and numbers here, which will be your password/key

Now use vib to tweak /etc/BackupPC/config.pl

[root@server ~]#vib /etc/BackupPC/config.pl

Search the document for the parameter '$Conf\{ServerMesgSecret\}'

$Conf{ServerMesgSecret} = '[insert password/key here!]';
Now search for $Conf{CgiAdminUsers} and add backuppc

$Conf{CgiAdminUsers}     = 'backuppc';

SAVE!

Now for the Apache conf file!

[root@server ~]#vib /etc/httpd/conf/httpd.conf
User backuppc
Group apache
ServerAdmin libby@geog.ucsb.edu
ServerName rebus.geog.ucsb.edu:80 (uncomment)

SAVE!

Finishing Up the Web Browser Interface

Amend and double check iptables (iptables settings/arguments may vary slightly):

[root@server ~]# iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
[root@server ~]# /sbin/service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@server ~]# cat /etc/sysconfig/iptables

Now just start the services...

[root@server ~]#service httpd start
Starting httpd:                                            [  OK  ]
[root@server ~]#service backuppc start
Starting BackupPC:                                         [  OK  ]
[root@server ~]#

And go to your web browser!

http://[server].geog.ucsb.edu/BackupPC

Finishing Up Server Side

Log in to your BackupPC user and create a rsa key for your clients.

[root@server ~]# su - backuppc
[backuppc@server ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/backuppc/.ssh/id_rsa): /home/backuppc/.ssh/id_rsa
Created directory '/home/backuppc/.ssh'.
Enter passphrase (empty for no passphrase): #NONE
Enter same passphrase again: 
Your identification has been saved in /home/backuppc/.ssh/id_rsa.
Your public key has been saved in /home/backuppc/.ssh/id_rsa.pub.
The key fingerprint is:
d5:97:8c:41:20:fe:1e:92:d9:82:ca:80:e1:76:b7:a9 backuppc@rebus.geog.ucsb.edu
The key's randomart image is:
+--[ RSA 2048]----+
|        . .oo    |
|       . . . + . |
|.       . . o +  |
|.o     . *   .   |
|.o.. .. S +      |
|. .o..o  + .     |
|    oo    .      |
|    .            |
|   E             |
+-----------------+
[root@server ~]# ssh-copy-id [client-user]@[client].geog.ucsb.edu

Adding Client on Server Side

To add a new user (to the online interface), first add the new user to /etc/BackupPC/hosts

[root@server ~]# vib /etc/BackupPC/hosts
# The first non-comment non-empty line gives the field names and should
# not be edited!!
#
host        dhcp    user     moreUsers     # <--- do not edit this line
#farside    0       craig    jill,jeff     # <--- example static IP host entry
#larson     1       bill                   # <--- example DHCP host entry
user        0       backuppc user1, optional user2	

Then, su to backuppc:

[backuppc@server ~]# htpasswd /etc/BackupPC/apache.users [new user]
New password: 
Re-type new password: 
Adding password for user [new user]

This will allow the user to access their host via the web interface. Once they sign in with their username and password (created above), they will be able to view all clients for which they are listed as a user.

Client Side

Mac Client Setup

In order to set up a Mac client, you first need to setup passwordless logins to the client system.

A couple different approaches to this:

• In SystemPreferences->Sharing verify that remote login is turned on
• Make sure that "Allow access for:" is set to either All users or that the Administrators GROUP is in the list of allowed users.

Note: Unchecking and then rechecking the Remote Login preferences will restart sshd.

Enable Root Password

Using a terminal as the client system's sysadm or other admin account, enable the root password by logging by:

[client name] [user]$ dsenableroot
username = sysadm
user password:
root password:
verify root password:

dsenableroot:: ***Successfully enabled root user.

Windows Client Cygwin SSH Setup

Your Windows clients will need a full installation of Cygwin and should be launched as Administrator. Use mkpasswd to refresh the user list in Cygwin if your BackupPC user is not reflected in /etc/passwd.

In order for your Cygwin installation to be useful to BackupPC, the following packages are required:

*openssh
*rsync
*wget
*shutdown

In addition, you might want to install your favorite text editor (vim, nano, etc).

Make sure the password that you enter into ssh-host-config is the password that you want, because it is a pain to change it. Also, please note that the configuration message spits out your password in PLAIN TEXT.

ssh-host-config

[user]@[client] /usr/bin
$ ssh-host-config -y

*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges.  Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Query: Overwrite existing /etc/inetd.d/sshd-inetd file? (yes/no) yes
*** Info: Creating default /etc/inetd.d/sshd-inetd file
*** Info: Updated /etc/inetd.d/sshd-inetd

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: You appear to be running Windows XP 64bit, Windows 2003 Server,
*** Info: or later.  On these systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.

*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.

*** Info: No privileged account could be found.

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Create new privileged user account 'cyg_server'? (yes/no) yes
*** Info: Please enter a password for new user cyg_server.  Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Info: User 'cyg_server' has been created with password 'PASSWORD'.  <-- SEE!? PLAIN TEXT!
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'cyg_server' account.

*** Info: Also keep in mind that the user 'cyg_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'cyg_server'.
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions correctly. [Similar restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].


*** Info: The sshd service has been installed under the 'cyg_server'
*** Info: account.  To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
*** Info: after the next reboot.

*** Info: Host configuration finished. Have fun!

ssh-add

Get ssh set up on your client:

[user]@[client] /usr/bin
$ ssh-add
Could not open a connection to your authentication agent.

No problem, just:

[user]@[client] /usr/bin
$ exec ssh-agent bash

[user]@[client] /usr/bin
$ ssh-add

[user]@[client] /usr/bin
$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service was started successfully.

ssh-user-config

[user]@[client] /usr/bin
$ ssh-user-config
*** Query: Shall I create a SSH2 RSA identity file for you? (yes/no) yes
*** Info: Generating /home/Libby White/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
*** Query: Do you want to use this identity to login to this machine? (yes/no) yes
*** Info: Adding to /home/Libby White/.ssh/authorized_keys
*** Query: Shall I create a SSH2 DSA identity file for you? (yes/no) yes
*** Info: Generating /home/Libby White/.ssh/id_dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
*** Query: Do you want to use this identity to login to this machine? (yes/no) yes
*** Info: Adding to /home/Libby White/.ssh/authorized_keys
*** Query: Shall I create a SSH2 ECDSA identity file for you? (yes/no) yes
*** Info: Generating /home/Libby White/.ssh/id_ecdsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
yes
*** Info: Adding to /home/Libby White/.ssh/authorized_keys
*** Query: Shall I create a (deprecated) SSH1 RSA identity file for you? (yes/no) yes
*** Info: Generating /home/Libby White/.ssh/identity
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
*** Query: Do you want to use this identity to login to this machine? (yes/no) yes
*** Info: Adding to /home/Libby White/.ssh/authorized_keys

*** Info: Configuration finished. Have fun!

Errors and Troubleshooting

Yum Errors

[root@server ~]# yum update -y
Total                                                   3.4 MB/s | 184 MB     00:53     
warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 00f97f56: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi
Importing GPG key 0x00F97F56:
 Userid : Remi Collet <RPMS@FamilleCollet.com>
 Package: remi-release-6-2.el6.remi.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-remi
Running rpm_check_debug
Running Transaction Test

Transaction Check Error:
  installing package kernel-2.6.32-358.2.1.el6.x86_64 needs 21MB on the /boot filesystem

Error Summary9.23*
-------------
Disk Requirements:
  At least 21MB more space needed on the /boot filesystem.

[root@server ~]# yum upgrade -y
Transaction Summary
================================================================
Install      11 Package(s)
Upgrade     201 Package(s)

Total size: 184 M
Downloading Packages:
Running rpm_check_debug
Running Transaction Test

Transaction Check Error:
  installing package kernel-2.6.32-358.2.1.el6.x86_64 needs 21MB on the /boot filesystem

Error Summary
-------------
Disk Requirements:
  At least 21MB more space needed on the /boot filesystem.

Host Configuration (server side)

You can edit the host configuration via the online interface to override any standard configurations set in /etc/BackupPC/config.pl. Once you have made any changes to the host's configuration via the online interface (or after the first backup), a [hostname].pl file will be generated in /etc/BackupPC/pc with any overrides you included.

If you are using rsync on a Windows machine, set $Conf{ClientCharset} to 'cp1252' to ensure that your backups are readable, as this is the typical Windows encoding and BackupPC will not do any conversions.

A typical Windows (post XP) [hostname].pl will look like this:

$Conf{ClientCharset} = 'cp1252';
$Conf{RsyncShareName} = [
  '/cygdrive/c',
  '/cygdrive/d'
];
$Conf{BackupFilesExclude} = {
  '*' => [

  #7/Vista junction points
  '/Documents and Settings',
  '/ProgramData/Application Data',
  '/ProgramData/Desktop',
  '/ProgramData/Documents',
  '/ProgramData/Favorites',
  '/ProgramData/Start Menu',
  '/ProgramData/Templates',
  '/Users/All Users',
  '/Users/Default User', 

  #Junction points common to every user profile
  '/Users/*/Application Data',
  '/Users/*/Cookies',
  '/Users/*/Local Settings',
  '/Users/*/My Documents',
  '/Users/*/NetHood',
  '/Users/*/PrintHood',
  '/Users/*/Recent',
  '/Users/*/SendTo',
  '/Users/*/Start Menu',
  '/Users/*/Templates',
  '/Users/*/Documents/My Music',
  '/Users/*/Documents/My Pictures',
  '/Users/*/Documents/My Videos', 

  #Temporary and in-use user data
  '/Users/*/AppData/',
  '/Users/*/NTUSER.DAT*',
  '/Users/*/ntuser.dat*',
  '/ProgramData',
  '*.lock',
  'Thumbs.db',
  'IconCache.db',
  'Cache*',
  'cache*',
 
  #Installation folders and system data
  '/Windows/System32',
  '/$Recycle.Bin',
  '/MSOCache',
  '/System Volume Information',
  '/Boot',
  'autoexec.bat',
  'bootmgr',
  'BOOTSECT.BAK',
  'config.sys',
  'hiberfil.sys',
  'pagefile.sys'
 ]
};

A more fine-tuned Windows exclude list can be found here.

Links

• http://ftanada.wordpress.com/2012/10/18/install-backuppc-on-centos-6-3/
• http://backuppc.sourceforge.net/faq/BackupPC.html
• http://lifeofageekadmin.com/installing-backuppc/
• http://wiki.icess.ucsb.edu/sysadm/BackupPC