Sysadm:Backuppc
Backuppc is a web browser based unix backup tool. After a plan to put the backups on rebus failed, BackupPC and its backups are now housed on zippy's raida. Configuration may be slightly different on zippy than below, as below is the record for installation on rebus (done by Libby and the new installation on zippy was done by Mike Colee. Backuppc will be used for CHG desktops and chg2.
Contents
Required Packages
- man
- wget
- httpd
- epel (wget)
- remi (wget)
- perl-Compress-Zlib
- perl-Archive-Zip
- perl-File-RsyncP
- perl-suidperl
- openssh-clients
- expect
- Two special repositories, EPEL and REMI.
[root@server ~]# wget -c http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [root@server ~]# wget -c http://rpms.famillecollet.com/enterprise/remi-release-6.rpm [root@server ~]# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
Enable the REMI repository
[root@server ~]# vib /etc/yum.repos.d/remi.repo
Change "enabled" under [remi] to
enabled=1
backuppc prereqs
[root@server ~]# yum -y install perl-Compress-Zlib perl-Archive-Zip perl-File-RsyncP perl-suidperl openssh-clients expect
Now run yum updates and upgrades (See Errors and Troubleshooting below)
[root@server ~]# yum update -y [root@server ~]# yum upgrade -y
BackupPC User
Make a local backuppc user on the backuppc server. The backuppc account is local and exclusive to [backuppc server].
[root@server ~]# mkdir /localhome/backuppc [root@server ~]# chown [UID]:[GID] !$ [root@server ~]# useradd -d /var/lib/BackupPC -u 105 -g 105 backuppc [root@server ~]# passwd backuppc Changing password for user backuppc. New password: Retype new password: passwd: all authentication tokens updated successfully.
Edit /etc/passwd
[root@server ~]# backuppc:x:105:105::/var/lib/BackupPC:/sbin/nologin
Edit /sbin/nologin
to /bin/bash
when you need to use the account to set up a new client.
Notes for servers with Samba/GNIS accounts
Make sure user's entry is placed in the top three lines in /etc/[passwd,group,shadow,gshadow]
Increment the crontab entry on the desginated BackupPC server from 2 to 3 so that the top 3 lines get preserved against updates from the GNIS stuff.
Pre-Install
Check this out for pre-install tweaks.
Install BackupPC
[root@server ~]# yum --enablerepo=epel install backuppc
Ganked from ERI's wiki.
SELinux voodoo ganked from ERI sysadm wiki
[root@server ~]# for i in httpd_use_nfs rsync_use_nfs httpd_enable_homedirs ; do setsebool -P $i on ; done
Symbolic link to storage area.
[root@server ~]# cp -dpR /var/lib/BackupPC/. /raid/backuppc [root@server ~]# mv /var/lib/BackupPC /var/lib/BackupPC.orig [root@server ~]# ln -s /raid/backuppc /var/lib/BackupPC
- This step is only necessary if you want a specific, non-standard storage area. Replace "raid/backuppc" with whatever directory you would like your storage area to be.
Investigating services...
[root@server ~]#chkconfig --list backuppc backuppc 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@server ~]#chkconfig --list httpd httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Off? To turn them on at startup:
[root@server ~]#chkconfig backuppc on [root@server ~]#chkconfig httpd on [root@server ~]#chkconfig --list backuppc backuppc 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@server ~]#chkconfig --list httpd httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Apache Configuration for Web Interface
Prepare Apache for the BackupPC web interface:
[root@server ~]# htpasswd -c /etc/BackupPC/apache.users backuppc New password: #Use BackupPC password for ease of use Re-type new password: Adding password for user backuppc
Tweak the BackupPC Apache conf file - use vib to ensure you have a backup of the original.
vib /etc/httpd/conf.d/BackupPC.conf #Added: allow from all #Commented out: allow from 127.0.0.1 allow from ::1
Make a password/key (we'll use this later):
[root@server ~]# mkpasswd -l 32 -d 16 #Insert long string of letters and numbers here, which will be your password/key
Now use vib to tweak /etc/BackupPC/config.pl
[root@server ~]#vib /etc/BackupPC/config.pl
Search the document for the parameter '$Conf\{ServerMesgSecret\}'
$Conf{ServerMesgSecret} = '[insert password/key here!]'; Now search for $Conf{CgiAdminUsers} and add backuppc
$Conf{CgiAdminUsers} = 'backuppc';
If you are using rsync on a WinXX machine then it does no conversion. A typical WinXX encoding for latin1/western europe is 'cp1252', so in this case set $Conf{ClientCharset} to 'cp1252'.
SAVE!
Now for the Apache conf file!
[root@server ~]#vib /etc/httpd/conf/httpd.conf User backuppc Group apache ServerAdmin libby@geog.ucsb.edu ServerName rebus.geog.ucsb.edu:80 (uncomment)
SAVE!
Finishing Up the Web Browser Interface
Amend and double check iptables (iptables settings/arguments may vary slightly):
[root@server ~]# iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT [root@server ~]# /sbin/service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@server ~]# cat /etc/sysconfig/iptables
Now just start the services...
[root@server ~]#service httpd start Starting httpd: [ OK ] [root@server ~]#service backuppc start Starting BackupPC: [ OK ] [root@server ~]#
And go to your web browser!
http://[server].geog.ucsb.edu/BackupPC
Finishing Up Server Side
Log in to your BackupPC user and create a rsa key for your clients.
[root@server ~]# su - backuppc [backuppc@server ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/backuppc/.ssh/id_rsa): /home/backuppc/.ssh/id_rsa Created directory '/home/backuppc/.ssh'. Enter passphrase (empty for no passphrase): #NONE Enter same passphrase again: Your identification has been saved in /home/backuppc/.ssh/id_rsa. Your public key has been saved in /home/backuppc/.ssh/id_rsa.pub. The key fingerprint is: d5:97:8c:41:20:fe:1e:92:d9:82:ca:80:e1:76:b7:a9 backuppc@rebus.geog.ucsb.edu The key's randomart image is: +--[ RSA 2048]----+ | . .oo | | . . . + . | |. . . o + | |.o . * . | |.o.. .. S + | |. .o..o + . | | oo . | | . | | E | +-----------------+ [root@server ~]# ssh-copy-id [client-user]@[client].geog.ucsb.edu
Adding Client on Server Side
To add a new user (to the online interface), first add the new user to /etc/BackupPC/hosts
[root@server ~]# vib /etc/BackupPC/hosts # The first non-comment non-empty line gives the field names and should # not be edited!! # host dhcp user moreUsers # <--- do not edit this line #farside 0 craig jill,jeff # <--- example static IP host entry #larson 1 bill # <--- example DHCP host entry user 0 backuppc user1, optional user2
Then, su to backuppc:
[backuppc@server ~]# htpasswd /etc/BackupPC/apache.users [new user] New password: Re-type new password: Adding password for user [new user]
Client Side
Your Windows clients will need a full installation of Cygwin and launch as Administrator. Use mkpasswd
to refresh the user list in Cygwin if your BackupPC user is not reflected in /etc/passwd
.
Make sure the password that you enter into ssh-host-config
is the password that you want, because it is a pain to change it. Also, please note that the configuration message spits out your password in PLAIN TEXT.
Client SSH Setup
ssh-host-config
[user]@[client] /usr/bin $ ssh-host-config -y *** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes *** Info: Creating default /etc/ssh_config file *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes *** Info: Creating default /etc/sshd_config file *** Info: Privilege separation is set to yes by default since OpenSSH 3.3. *** Info: However, this requires a non-privileged account called 'sshd'. *** Info: For more info on privilege separation read /usr/share/doc/openssh/README.privsep *** Query: Should privilege separation be used? (yes/no) yes *** Info: Note that creating a new user requires that the current account have *** Info: Administrator privileges. Should this script attempt to create a *** Query: new local account 'sshd'? (yes/no) yes *** Info: Updating /etc/sshd_config file *** Query: Overwrite existing /etc/inetd.d/sshd-inetd file? (yes/no) yes *** Info: Creating default /etc/inetd.d/sshd-inetd file *** Info: Updated /etc/inetd.d/sshd-inetd *** Query: Do you want to install sshd as a service? *** Query: (Say "no" if it is already installed as a service) (yes/no) yes *** Query: Enter the value of CYGWIN for the daemon: [] *** Info: On Windows Server 2003, Windows Vista, and above, the *** Info: SYSTEM account cannot setuid to other users -- a capability *** Info: sshd requires. You need to have or to create a privileged *** Info: account. This script will help you do so. *** Info: You appear to be running Windows XP 64bit, Windows 2003 Server, *** Info: or later. On these systems, it's not possible to use the LocalSystem *** Info: account for services that can change the user id without an *** Info: explicit password (such as passwordless logins [e.g. public key *** Info: authentication] via sshd). *** Info: If you want to enable that functionality, it's required to create *** Info: a new account with special privileges (unless a similar account *** Info: already exists). This account is then used to run these special *** Info: servers. *** Info: Note that creating a new user requires that the current account *** Info: have Administrator privileges itself. *** Info: No privileged account could be found. *** Info: This script plans to use 'cyg_server'. *** Info: 'cyg_server' will only be used by registered services. *** Query: Create new privileged user account 'cyg_server'? (yes/no) yes *** Info: Please enter a password for new user cyg_server. Please be sure *** Info: that this password matches the password rules given on your system. *** Info: Entering no password will exit the configuration. *** Query: Please enter the password: *** Query: Reenter: *** Info: User 'cyg_server' has been created with password 'PASSWORD'. <-- SEE!? PLAIN TEXT! *** Info: If you change the password, please remember also to change the *** Info: password for the installed services which use (or will soon use) *** Info: the 'cyg_server' account. *** Info: Also keep in mind that the user 'cyg_server' needs read permissions *** Info: on all users' relevant files for the services running as 'cyg_server'. *** Info: In particular, for the sshd server all users' .ssh/authorized_keys *** Info: files must have appropriate permissions to allow public key *** Info: authentication. (Re-)running ssh-user-config for each user will set *** Info: these permissions correctly. [Similar restrictions apply, for *** Info: instance, for .rhosts files if the rshd server is running, etc]. *** Info: The sshd service has been installed under the 'cyg_server' *** Info: account. To start the service now, call `net start sshd' or *** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically *** Info: after the next reboot. *** Info: Host configuration finished. Have fun!
ssh-add
Get ssh set up on your client:
[user]@[client] /usr/bin $ ssh-add Could not open a connection to your authentication agent.
No problem, just:
[user]@[client] /usr/bin $ exec ssh-agent bash [user]@[client] /usr/bin $ ssh-add [user]@[client] /usr/bin $ net start sshd The CYGWIN sshd service is starting. The CYGWIN sshd service was started successfully.
ssh-user-config
[user]@[client] /usr/bin $ ssh-user-config *** Query: Shall I create a SSH2 RSA identity file for you? (yes/no) yes *** Info: Generating /home/Libby White/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: *** Query: Do you want to use this identity to login to this machine? (yes/no) yes *** Info: Adding to /home/Libby White/.ssh/authorized_keys *** Query: Shall I create a SSH2 DSA identity file for you? (yes/no) yes *** Info: Generating /home/Libby White/.ssh/id_dsa Enter passphrase (empty for no passphrase): Enter same passphrase again: *** Query: Do you want to use this identity to login to this machine? (yes/no) yes *** Info: Adding to /home/Libby White/.ssh/authorized_keys *** Query: Shall I create a SSH2 ECDSA identity file for you? (yes/no) yes *** Info: Generating /home/Libby White/.ssh/id_ecdsa Enter passphrase (empty for no passphrase): Enter same passphrase again: yes *** Info: Adding to /home/Libby White/.ssh/authorized_keys *** Query: Shall I create a (deprecated) SSH1 RSA identity file for you? (yes/no) yes *** Info: Generating /home/Libby White/.ssh/identity Enter passphrase (empty for no passphrase): Enter same passphrase again: *** Query: Do you want to use this identity to login to this machine? (yes/no) yes *** Info: Adding to /home/Libby White/.ssh/authorized_keys *** Info: Configuration finished. Have fun!
Errors and Troubleshooting
Yum Errors
[root@server ~]# yum update -y Total 3.4 MB/s | 184 MB 00:53 warning: rpmts_HdrFromFdno: Header V3 DSA/SHA1 Signature, key ID 00f97f56: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi Importing GPG key 0x00F97F56: Userid : Remi Collet <RPMS@FamilleCollet.com> Package: remi-release-6-2.el6.remi.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-remi Running rpm_check_debug Running Transaction Test Transaction Check Error: installing package kernel-2.6.32-358.2.1.el6.x86_64 needs 21MB on the /boot filesystem Error Summary9.23* ------------- Disk Requirements: At least 21MB more space needed on the /boot filesystem.
[root@server ~]# yum upgrade -y Transaction Summary ================================================================ Install 11 Package(s) Upgrade 201 Package(s) Total size: 184 M Downloading Packages: Running rpm_check_debug Running Transaction Test Transaction Check Error: installing package kernel-2.6.32-358.2.1.el6.x86_64 needs 21MB on the /boot filesystem Error Summary ------------- Disk Requirements: At least 21MB more space needed on the /boot filesystem.
Notes
- Set environmental variable on Windows machine if you want cygwin to use your Windows home directory
- Variable name: CYGWIN = ntsec tty
- Variable value: ;[drive letter]:\cygwin\bin