Difference between revisions of "Sysadm:Backuppc"

From CHG-Wiki
Jump to navigationJump to search
Line 175: Line 175:
 
<pre class="wrap">
 
<pre class="wrap">
 
http://[server].geog.ucsb.edu/BackupPC
 
http://[server].geog.ucsb.edu/BackupPC
 +
</pre>
 +
 +
==Finishing Up Server Side==
 +
Log in to your BackupPC user and create a rsa key for your clients.
 +
<pre class="wrap">
 +
[root@server ~]# su - backuppc
 +
[backuppc@server ~]# ssh-keygen -t rsa
 +
Generating public/private rsa key pair.
 +
Enter file in which to save the key (/home/backuppc/.ssh/id_rsa): /home/backuppc/.ssh/id_rsa
 +
Created directory '/home/backuppc/.ssh'.
 +
Enter passphrase (empty for no passphrase): #NONE
 +
Enter same passphrase again:
 +
Your identification has been saved in /home/backuppc/.ssh/id_rsa.
 +
Your public key has been saved in /home/backuppc/.ssh/id_rsa.pub.
 +
The key fingerprint is:
 +
d5:97:8c:41:20:fe:1e:92:d9:82:ca:80:e1:76:b7:a9 backuppc@rebus.geog.ucsb.edu
 +
The key's randomart image is:
 +
+--[ RSA 2048]----+
 +
|        . .oo    |
 +
|      . . . + . |
 +
|.      . . o +  |
 +
|.o    . *  .  |
 +
|.o.. .. S +      |
 +
|. .o..o  + .    |
 +
|    oo    .      |
 +
|    .            |
 +
|  E            |
 +
+-----------------+
 +
[root@server ~]# ssh-copy-id [client-user]@[client].geog.ucsb.edu
 +
</pre>
 +
 +
==Client Side==
 +
Your Windows clients will need a full installation of [http://www.cygwin.com/| Cygwin] and launch as Administrator. Use <code>mkpasswd</code> to refresh the user list in Cygwin if your BackupPC user is not reflected in <code>/etc/passwd</code>.
 +
 +
Make sure the password that you enter into <code>ssh-host-config</code> is the password that you want, because it is a pain to change it. Also, please note that the configuration message spits out your password in '''PLAIN TEXT'''.
 +
 +
<pre class="wrap">
 +
[user]@[client] /usr/bin
 +
$ ssh-host-config -y
 +
 +
*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
 +
*** Info: Creating default /etc/ssh_config file
 +
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
 +
*** Info: Creating default /etc/sshd_config file
 +
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
 +
*** Info: However, this requires a non-privileged account called 'sshd'.
 +
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep
 +
*** Query: Should privilege separation be used? (yes/no) yes
 +
*** Info: Note that creating a new user requires that the current account have
 +
*** Info: Administrator privileges.  Should this script attempt to create a
 +
*** Query: new local account 'sshd'? (yes/no) yes
 +
*** Info: Updating /etc/sshd_config file
 +
*** Query: Overwrite existing /etc/inetd.d/sshd-inetd file? (yes/no) yes
 +
*** Info: Creating default /etc/inetd.d/sshd-inetd file
 +
*** Info: Updated /etc/inetd.d/sshd-inetd
 +
 +
*** Query: Do you want to install sshd as a service?
 +
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
 +
*** Query: Enter the value of CYGWIN for the daemon: []
 +
*** Info: On Windows Server 2003, Windows Vista, and above, the
 +
*** Info: SYSTEM account cannot setuid to other users -- a capability
 +
*** Info: sshd requires.  You need to have or to create a privileged
 +
*** Info: account.  This script will help you do so.
 +
 +
*** Info: You appear to be running Windows XP 64bit, Windows 2003 Server,
 +
*** Info: or later.  On these systems, it's not possible to use the LocalSystem
 +
*** Info: account for services that can change the user id without an
 +
*** Info: explicit password (such as passwordless logins [e.g. public key
 +
*** Info: authentication] via sshd).
 +
 +
*** Info: If you want to enable that functionality, it's required to create
 +
*** Info: a new account with special privileges (unless a similar account
 +
*** Info: already exists). This account is then used to run these special
 +
*** Info: servers.
 +
 +
*** Info: Note that creating a new user requires that the current account
 +
*** Info: have Administrator privileges itself.
 +
 +
*** Info: No privileged account could be found.
 +
 +
*** Info: This script plans to use 'cyg_server'.
 +
*** Info: 'cyg_server' will only be used by registered services.
 +
*** Query: Create new privileged user account 'cyg_server'? (yes/no) yes
 +
*** Info: Please enter a password for new user cyg_server.  Please be sure
 +
*** Info: that this password matches the password rules given on your system.
 +
*** Info: Entering no password will exit the configuration.
 +
*** Query: Please enter the password:
 +
*** Query: Reenter:
 +
 +
*** Info: User 'cyg_server' has been created with password 'PASSWORD'.  <-- SEE!? PLAIN TEXT!
 +
*** Info: If you change the password, please remember also to change the
 +
*** Info: password for the installed services which use (or will soon use)
 +
*** Info: the 'cyg_server' account.
 +
 +
*** Info: Also keep in mind that the user 'cyg_server' needs read permissions
 +
*** Info: on all users' relevant files for the services running as 'cyg_server'.
 +
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
 +
*** Info: files must have appropriate permissions to allow public key
 +
*** Info: authentication. (Re-)running ssh-user-config for each user will set
 +
*** Info: these permissions correctly. [Similar restrictions apply, for
 +
*** Info: instance, for .rhosts files if the rshd server is running, etc].
 +
 +
 +
*** Info: The sshd service has been installed under the 'cyg_server'
 +
*** Info: account.  To start the service now, call `net start sshd' or
 +
*** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
 +
*** Info: after the next reboot.
 +
 +
*** Info: Host configuration finished. Have fun!
 +
</pre>
 +
 +
Get ssh set up on your client:
 +
<pre class="wrap">
 +
[user]@[client] /usr/bin
 +
$ ssh-add
 +
Could not open a connection to your authentication agent.
 +
</pre>
 +
 +
No problem, just:
 +
<pre class="wrap">
 +
[user]@[client] /usr/bin
 +
$ exec ssh-agent bash
 +
 +
[user]@[client] /usr/bin
 +
$ ssh-add
 +
 +
[user]@[client] /usr/bin
 +
$ net start sshd
 +
The CYGWIN sshd service is starting.
 +
The CYGWIN sshd service was started successfully.
 
</pre>
 
</pre>
  

Revision as of 14:08, 2 October 2013

Backuppc is a web browser based unix backup tool. After a plan to put the backups on rebus failed, the plan now is to be place the backups on the 6x4TB RAID on the rebuilt zippy. Backuppc will be used for CHG desktops and chg2.

Required Packages

  • man
  • wget
  • httpd
  • epel (wget)
  • remi (wget)
  • perl-Compress-Zlib
  • perl-Archive-Zip
  • perl-File-RsyncP
  • perl-suidperl
  • openssh-clients
  • expect
  • Two special repositories, EPEL and REMI.
[root@server ~]# word-wrap: break-word">wget -c http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@server ~]# wget -c http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
[root@server ~]# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

Enable the REMI repository

[root@server ~]# vib /etc/yum.repos.d/remi.repo

Change "enabled" under [remi] to

enabled=1

backuppc prereqs

[root@server ~]# yum -y install perl-Compress-Zlib perl-Archive-Zip perl-File-RsyncP perl-suidperl openssh-clients expect

Now run yum updates and upgrades (See Errors and Troubleshooting below)

[root@server ~]# yum update -y
[root@server ~]# yum upgrade -y

BackupPC User

Make a local backuppc user on the backuppc server. The backuppc account is local and exclusive to [backuppc server].

[root@server ~]# mkdir /localhome/backuppc
[root@server ~]# chown [UID]:[GID] !$

[root@server ~]# useradd -d /var/lib/BackupPC -u 105 -g 105 backuppc
[root@server ~]# passwd backuppc
Changing password for user backuppc.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Edit /etc/passwd

[root@server ~]# backuppc:x:105:105::/var/lib/BackupPC:/sbin/nologin

Edit /sbin/nologin to /bin/bash when you need to use the account to set up a new client.

Make sure user's entry is placed in the top three lines in /etc/[passwd,group,shadow,gshadow]

Increment the crontab entry on rebus from 2 to 3 so that the top 3 lines get preserved against updates from the GNIS stuff.

Pre-Install

Check this out for pre-install tweaks.

Install BackupPC

[root@server ~]# yum --enablerepo=epel install backuppc 

Ganked from wiki.

SELinux voodoo ganked from ERI sysadm wiki

[root@server ~]# for i in httpd_use_nfs rsync_use_nfs httpd_enable_homedirs ; do setsebool -P $i on ; done

Symbolic link to storage area.

[root@server ~]# cp -dpR /var/lib/BackupPC/. /raid/backuppc
[root@server ~]# mv /var/lib/BackupPC /var/lib/BackupPC.orig
[root@server ~]# ln -s /raid/backuppc /var/lib/BackupPC

Investigating services...

[root@server ~]#chkconfig --list backuppc
backuppc       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
[root@server ~]#chkconfig --list httpd
httpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off

Off? To turn them on at startup:

[root@server ~]#chkconfig backuppc on
[root@server ~]#chkconfig httpd on
[root@server ~]#chkconfig --list backuppc
backuppc       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
[root@server ~]#chkconfig --list httpd
httpd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Apache Configuration for Web Interface

Prepare Apache for the BackupPC web interface:

[root@server ~]# htpasswd -c /etc/BackupPC/apache.users backuppc
New password:        #Use BackupPC password for ease of use
Re-type new password: 
Adding password for user backuppc

Tweak the BackupPC Apache conf file - use vib to ensure you have a backup of the original.

vib /etc/httpd/conf.d/BackupPC.conf

#Added:
allow from all

#Commented out:
allow from 127.0.0.1
allow from ::1

Make a password/key (we'll use this later):

[root@server ~]# mkpasswd -l 32 -d 16
#Insert long string of letters and numbers here, which will be your password/key

Now use vib to tweak /etc/BackupPC/config.pl

[root@server ~]#vib /etc/BackupPC/config.pl

Search the document for the parameter '$Conf\{ServerMesgSecret\}'

$Conf{ServerMesgSecret} = '[insert password/key here!]';
Now search for $Conf{CgiAdminUsers} and add backuppc
$Conf{CgiAdminUsers}     = 'backuppc';

If you are using rsync on a WinXX machine then it does no conversion. A typical WinXX encoding for latin1/western europe is 'cp1252', so in this case set $Conf{ClientCharset} to 'cp1252'.

SAVE!

Now for the Apache conf file!

[root@server ~]#vib /etc/httpd/conf/httpd.conf
User backuppc
Group apache
ServerAdmin libby@geog.ucsb.edu
ServerName rebus.geog.ucsb.edu:80 (uncomment)

SAVE!

Finishing Up the Web Browser Interface

Amend and double check iptables (iptables settings/arguments may vary slightly):

[root@server ~]# iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
[root@server ~]# /sbin/service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@server ~]# cat /etc/sysconfig/iptables

Now just start the services...

[root@server ~]#service httpd start
Starting httpd:                                            [  OK  ]
[root@server ~]#service backuppc start
Starting BackupPC:                                         [  OK  ]
[root@server ~]#

And go to your web browser!

http://[server].geog.ucsb.edu/BackupPC

Finishing Up Server Side

Log in to your BackupPC user and create a rsa key for your clients.

[root@server ~]# su - backuppc
[backuppc@server ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/backuppc/.ssh/id_rsa): /home/backuppc/.ssh/id_rsa
Created directory '/home/backuppc/.ssh'.
Enter passphrase (empty for no passphrase): #NONE
Enter same passphrase again: 
Your identification has been saved in /home/backuppc/.ssh/id_rsa.
Your public key has been saved in /home/backuppc/.ssh/id_rsa.pub.
The key fingerprint is:
d5:97:8c:41:20:fe:1e:92:d9:82:ca:80:e1:76:b7:a9 backuppc@rebus.geog.ucsb.edu
The key's randomart image is:
+--[ RSA 2048]----+
|        . .oo    |
|       . . . + . |
|.       . . o +  |
|.o     . *   .   |
|.o.. .. S +      |
|. .o..o  + .     |
|    oo    .      |
|    .            |
|   E             |
+-----------------+
[root@server ~]# ssh-copy-id [client-user]@[client].geog.ucsb.edu

Client Side

Your Windows clients will need a full installation of Cygwin and launch as Administrator. Use mkpasswd to refresh the user list in Cygwin if your BackupPC user is not reflected in /etc/passwd.

Make sure the password that you enter into ssh-host-config is the password that you want, because it is a pain to change it. Also, please note that the configuration message spits out your password in PLAIN TEXT.

[user]@[client] /usr/bin
$ ssh-host-config -y

*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges.  Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Query: Overwrite existing /etc/inetd.d/sshd-inetd file? (yes/no) yes
*** Info: Creating default /etc/inetd.d/sshd-inetd file
*** Info: Updated /etc/inetd.d/sshd-inetd

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: You appear to be running Windows XP 64bit, Windows 2003 Server,
*** Info: or later.  On these systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.

*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.

*** Info: No privileged account could be found.

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Create new privileged user account 'cyg_server'? (yes/no) yes
*** Info: Please enter a password for new user cyg_server.  Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Info: User 'cyg_server' has been created with password 'PASSWORD'.  <-- SEE!? PLAIN TEXT!
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'cyg_server' account.

*** Info: Also keep in mind that the user 'cyg_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'cyg_server'.
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions correctly. [Similar restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].


*** Info: The sshd service has been installed under the 'cyg_server'
*** Info: account.  To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
*** Info: after the next reboot.

*** Info: Host configuration finished. Have fun!

Get ssh set up on your client:

[user]@[client] /usr/bin
$ ssh-add
Could not open a connection to your authentication agent.

No problem, just:

[user]@[client] /usr/bin
$ exec ssh-agent bash

[user]@[client] /usr/bin
$ ssh-add

[user]@[client] /usr/bin
$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service was started successfully.

Errors and Troubleshooting

Yum Errors

[root@server ~]# yum update -y
Total                                                   3.4 MB/s | 184 MB     00:53     
warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 00f97f56: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi
Importing GPG key 0x00F97F56:
 Userid : Remi Collet <RPMS@FamilleCollet.com>
 Package: remi-release-6-2.el6.remi.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-remi
Running rpm_check_debug
Running Transaction Test

Transaction Check Error:
  installing package kernel-2.6.32-358.2.1.el6.x86_64 needs 21MB on the /boot filesystem

Error Summary9.23*
-------------
Disk Requirements:
  At least 21MB more space needed on the /boot filesystem.
[root@server ~]# yum upgrade -y
Transaction Summary
================================================================
Install      11 Package(s)
Upgrade     201 Package(s)

Total size: 184 M
Downloading Packages:
Running rpm_check_debug
Running Transaction Test

Transaction Check Error:
  installing package kernel-2.6.32-358.2.1.el6.x86_64 needs 21MB on the /boot filesystem

Error Summary
-------------
Disk Requirements:
  At least 21MB more space needed on the /boot filesystem.