Difference between revisions of "Sysadm:Backuppc"

From CHG-Wiki
Jump to navigationJump to search
m
Line 85: Line 85:
 
[root@server ~]# ln -s /raid/backuppc /var/lib/BackupPC
 
[root@server ~]# ln -s /raid/backuppc /var/lib/BackupPC
 
</pre>
 
</pre>
 +
*This step is only necessary if you want a specific, non-standard storage area. Replace "raid/backuppc" with whatever directory you would like your storage area to be.
  
 
Investigating services...
 
Investigating services...

Revision as of 11:54, 17 April 2014

Backuppc is a web browser based unix backup tool. After a plan to put the backups on rebus failed, BackupPC and its backups are now housed on zippy's raida. Configuration may be slightly different on zippy than below, as below is the record for installation on rebus (done by Libby and the new installation on zippy was done by Mike Colee. Backuppc will be used for CHG desktops and chg2.

Required Packages

  • man
  • wget
  • httpd
  • epel (wget)
  • remi (wget)
  • perl-Compress-Zlib
  • perl-Archive-Zip
  • perl-File-RsyncP
  • perl-suidperl
  • openssh-clients
  • expect
  • Two special repositories, EPEL and REMI.
[root@server ~]# wget -c http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@server ~]# wget -c http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
[root@server ~]# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

Enable the REMI repository

[root@server ~]# vib /etc/yum.repos.d/remi.repo

Change "enabled" under [remi] to

enabled=1

backuppc prereqs

[root@server ~]# yum -y install perl-Compress-Zlib perl-Archive-Zip perl-File-RsyncP perl-suidperl openssh-clients expect

Now run yum updates and upgrades (See Errors and Troubleshooting below)

[root@server ~]# yum update -y
[root@server ~]# yum upgrade -y

BackupPC User

Make a local backuppc user on the backuppc server. The backuppc account is local and exclusive to [backuppc server].

[root@server ~]# mkdir /localhome/backuppc
[root@server ~]# chown [UID]:[GID] !$

[root@server ~]# useradd -d /var/lib/BackupPC -u 105 -g 105 backuppc
[root@server ~]# passwd backuppc
Changing password for user backuppc.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Edit /etc/passwd

[root@server ~]# backuppc:x:105:105::/var/lib/BackupPC:/sbin/nologin

Edit /sbin/nologin to /bin/bash when you need to use the account to set up a new client.

Notes for servers with Samba/GNIS accounts

Make sure user's entry is placed in the top three lines in /etc/[passwd,group,shadow,gshadow]

Increment the crontab entry on the desginated BackupPC server from 2 to 3 so that the top 3 lines get preserved against updates from the GNIS stuff.

Pre-Install

Check this out for pre-install tweaks.

Install BackupPC

[root@server ~]# yum --enablerepo=epel install backuppc 

Ganked from ERI's wiki.

SELinux voodoo ganked from ERI sysadm wiki

[root@server ~]# for i in httpd_use_nfs rsync_use_nfs httpd_enable_homedirs ; do setsebool -P $i on ; done

Symbolic link to storage area.

[root@server ~]# cp -dpR /var/lib/BackupPC/. /raid/backuppc
[root@server ~]# mv /var/lib/BackupPC /var/lib/BackupPC.orig
[root@server ~]# ln -s /raid/backuppc /var/lib/BackupPC
  • This step is only necessary if you want a specific, non-standard storage area. Replace "raid/backuppc" with whatever directory you would like your storage area to be.

Investigating services...

[root@server ~]#chkconfig --list backuppc
backuppc       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
[root@server ~]#chkconfig --list httpd
httpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off

Off? To turn them on at startup:

[root@server ~]#chkconfig backuppc on
[root@server ~]#chkconfig httpd on
[root@server ~]#chkconfig --list backuppc
backuppc       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
[root@server ~]#chkconfig --list httpd
httpd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Apache Configuration for Web Interface

Prepare Apache for the BackupPC web interface:

[root@server ~]# htpasswd -c /etc/BackupPC/apache.users backuppc
New password:        #Use BackupPC password for ease of use
Re-type new password: 
Adding password for user backuppc

Tweak the BackupPC Apache conf file - use vib to ensure you have a backup of the original.

vib /etc/httpd/conf.d/BackupPC.conf

#Added:
allow from all

#Commented out:
allow from 127.0.0.1
allow from ::1

Make a password/key (we'll use this later):

[root@server ~]# mkpasswd -l 32 -d 16
#Insert long string of letters and numbers here, which will be your password/key

Now use vib to tweak /etc/BackupPC/config.pl

[root@server ~]#vib /etc/BackupPC/config.pl

Search the document for the parameter '$Conf\{ServerMesgSecret\}'

$Conf{ServerMesgSecret} = '[insert password/key here!]';
Now search for $Conf{CgiAdminUsers} and add backuppc
$Conf{CgiAdminUsers}     = 'backuppc';

If you are using rsync on a WinXX machine then it does no conversion. A typical WinXX encoding for latin1/western europe is 'cp1252', so in this case set $Conf{ClientCharset} to 'cp1252'.

SAVE!

Now for the Apache conf file!

[root@server ~]#vib /etc/httpd/conf/httpd.conf
User backuppc
Group apache
ServerAdmin libby@geog.ucsb.edu
ServerName rebus.geog.ucsb.edu:80 (uncomment)

SAVE!

Finishing Up the Web Browser Interface

Amend and double check iptables (iptables settings/arguments may vary slightly):

[root@server ~]# iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
[root@server ~]# /sbin/service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@server ~]# cat /etc/sysconfig/iptables

Now just start the services...

[root@server ~]#service httpd start
Starting httpd:                                            [  OK  ]
[root@server ~]#service backuppc start
Starting BackupPC:                                         [  OK  ]
[root@server ~]#

And go to your web browser!

http://[server].geog.ucsb.edu/BackupPC

Finishing Up Server Side

Log in to your BackupPC user and create a rsa key for your clients.

[root@server ~]# su - backuppc
[backuppc@server ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/backuppc/.ssh/id_rsa): /home/backuppc/.ssh/id_rsa
Created directory '/home/backuppc/.ssh'.
Enter passphrase (empty for no passphrase): #NONE
Enter same passphrase again: 
Your identification has been saved in /home/backuppc/.ssh/id_rsa.
Your public key has been saved in /home/backuppc/.ssh/id_rsa.pub.
The key fingerprint is:
d5:97:8c:41:20:fe:1e:92:d9:82:ca:80:e1:76:b7:a9 backuppc@rebus.geog.ucsb.edu
The key's randomart image is:
+--[ RSA 2048]----+
|        . .oo    |
|       . . . + . |
|.       . . o +  |
|.o     . *   .   |
|.o.. .. S +      |
|. .o..o  + .     |
|    oo    .      |
|    .            |
|   E             |
+-----------------+
[root@server ~]# ssh-copy-id [client-user]@[client].geog.ucsb.edu

Adding Client on Server Side

To add a new user (to the online interface), first add the new user to /etc/BackupPC/hosts

[root@server ~]# vib /etc/BackupPC/hosts
# The first non-comment non-empty line gives the field names and should
# not be edited!!
#
host        dhcp    user     moreUsers     # <--- do not edit this line
#farside    0       craig    jill,jeff     # <--- example static IP host entry
#larson     1       bill                   # <--- example DHCP host entry
user        0       backuppc user1, optional user2	

Then, su to backuppc:

[backuppc@server ~]# htpasswd /etc/BackupPC/apache.users [new user]
New password: 
Re-type new password: 
Adding password for user [new user]

Client Side

Your Windows clients will need a full installation of Cygwin and launch as Administrator. Use mkpasswd to refresh the user list in Cygwin if your BackupPC user is not reflected in /etc/passwd.

Make sure the password that you enter into ssh-host-config is the password that you want, because it is a pain to change it. Also, please note that the configuration message spits out your password in PLAIN TEXT.

Client SSH Setup

ssh-host-config

[user]@[client] /usr/bin
$ ssh-host-config -y

*** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
*** Info: Creating default /etc/ssh_config file
*** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
*** Info: Creating default /etc/sshd_config file
*** Info: Privilege separation is set to yes by default since OpenSSH 3.3.
*** Info: However, this requires a non-privileged account called 'sshd'.
*** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep
*** Query: Should privilege separation be used? (yes/no) yes
*** Info: Note that creating a new user requires that the current account have
*** Info: Administrator privileges.  Should this script attempt to create a
*** Query: new local account 'sshd'? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Query: Overwrite existing /etc/inetd.d/sshd-inetd file? (yes/no) yes
*** Info: Creating default /etc/inetd.d/sshd-inetd file
*** Info: Updated /etc/inetd.d/sshd-inetd

*** Query: Do you want to install sshd as a service?
*** Query: (Say "no" if it is already installed as a service) (yes/no) yes
*** Query: Enter the value of CYGWIN for the daemon: []
*** Info: On Windows Server 2003, Windows Vista, and above, the
*** Info: SYSTEM account cannot setuid to other users -- a capability
*** Info: sshd requires.  You need to have or to create a privileged
*** Info: account.  This script will help you do so.

*** Info: You appear to be running Windows XP 64bit, Windows 2003 Server,
*** Info: or later.  On these systems, it's not possible to use the LocalSystem
*** Info: account for services that can change the user id without an
*** Info: explicit password (such as passwordless logins [e.g. public key
*** Info: authentication] via sshd).

*** Info: If you want to enable that functionality, it's required to create
*** Info: a new account with special privileges (unless a similar account
*** Info: already exists). This account is then used to run these special
*** Info: servers.

*** Info: Note that creating a new user requires that the current account
*** Info: have Administrator privileges itself.

*** Info: No privileged account could be found.

*** Info: This script plans to use 'cyg_server'.
*** Info: 'cyg_server' will only be used by registered services.
*** Query: Create new privileged user account 'cyg_server'? (yes/no) yes
*** Info: Please enter a password for new user cyg_server.  Please be sure
*** Info: that this password matches the password rules given on your system.
*** Info: Entering no password will exit the configuration.
*** Query: Please enter the password:
*** Query: Reenter:

*** Info: User 'cyg_server' has been created with password 'PASSWORD'.  <-- SEE!? PLAIN TEXT!
*** Info: If you change the password, please remember also to change the
*** Info: password for the installed services which use (or will soon use)
*** Info: the 'cyg_server' account.

*** Info: Also keep in mind that the user 'cyg_server' needs read permissions
*** Info: on all users' relevant files for the services running as 'cyg_server'.
*** Info: In particular, for the sshd server all users' .ssh/authorized_keys
*** Info: files must have appropriate permissions to allow public key
*** Info: authentication. (Re-)running ssh-user-config for each user will set
*** Info: these permissions correctly. [Similar restrictions apply, for
*** Info: instance, for .rhosts files if the rshd server is running, etc].


*** Info: The sshd service has been installed under the 'cyg_server'
*** Info: account.  To start the service now, call `net start sshd' or
*** Info: `cygrunsrv -S sshd'.  Otherwise, it will start automatically
*** Info: after the next reboot.

*** Info: Host configuration finished. Have fun!

ssh-add

Get ssh set up on your client:

[user]@[client] /usr/bin
$ ssh-add
Could not open a connection to your authentication agent.

No problem, just:

[user]@[client] /usr/bin
$ exec ssh-agent bash

[user]@[client] /usr/bin
$ ssh-add

[user]@[client] /usr/bin
$ net start sshd
The CYGWIN sshd service is starting.
The CYGWIN sshd service was started successfully.

ssh-user-config

[user]@[client] /usr/bin
$ ssh-user-config
*** Query: Shall I create a SSH2 RSA identity file for you? (yes/no) yes
*** Info: Generating /home/Libby White/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
*** Query: Do you want to use this identity to login to this machine? (yes/no) yes
*** Info: Adding to /home/Libby White/.ssh/authorized_keys
*** Query: Shall I create a SSH2 DSA identity file for you? (yes/no) yes
*** Info: Generating /home/Libby White/.ssh/id_dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
*** Query: Do you want to use this identity to login to this machine? (yes/no) yes
*** Info: Adding to /home/Libby White/.ssh/authorized_keys
*** Query: Shall I create a SSH2 ECDSA identity file for you? (yes/no) yes
*** Info: Generating /home/Libby White/.ssh/id_ecdsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
yes
*** Info: Adding to /home/Libby White/.ssh/authorized_keys
*** Query: Shall I create a (deprecated) SSH1 RSA identity file for you? (yes/no) yes
*** Info: Generating /home/Libby White/.ssh/identity
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
*** Query: Do you want to use this identity to login to this machine? (yes/no) yes
*** Info: Adding to /home/Libby White/.ssh/authorized_keys

*** Info: Configuration finished. Have fun!

Errors and Troubleshooting

Yum Errors

[root@server ~]# yum update -y
Total                                                   3.4 MB/s | 184 MB     00:53     
warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 00f97f56: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi
Importing GPG key 0x00F97F56:
 Userid : Remi Collet <RPMS@FamilleCollet.com>
 Package: remi-release-6-2.el6.remi.noarch (installed)
 From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-remi
Running rpm_check_debug
Running Transaction Test

Transaction Check Error:
  installing package kernel-2.6.32-358.2.1.el6.x86_64 needs 21MB on the /boot filesystem

Error Summary9.23*
-------------
Disk Requirements:
  At least 21MB more space needed on the /boot filesystem.
[root@server ~]# yum upgrade -y
Transaction Summary
================================================================
Install      11 Package(s)
Upgrade     201 Package(s)

Total size: 184 M
Downloading Packages:
Running rpm_check_debug
Running Transaction Test

Transaction Check Error:
  installing package kernel-2.6.32-358.2.1.el6.x86_64 needs 21MB on the /boot filesystem

Error Summary
-------------
Disk Requirements:
  At least 21MB more space needed on the /boot filesystem.

Notes

  • Set environmental variable on Windows machine if you want cygwin to use your Windows home directory
    • Variable name: CYGWIN = ntsec tty
    • Variable value: ;[drive letter]:\cygwin\bin

Links