Here’s a small addition to Dean Gaudet’s tutorial on how to set up rdiff-backup for secure, unattended remote backups.
The scenario: you want host1 to pull backups from:
host2 : /var/log
host2 : /var/www
You’ve set everything up:
- A non-root user on host1 called backupuser which initiates the backup
- SSH private/public keys for backupuser
- Added backupuser’s public key to host2:/root/.ssh/authorized_keys
- An entry for host2 preconfigured in host1:~/.ssh/config as explained in the original tutorial.
Then you find out that in authorized_keys, you can only limit backupuser to run one command, not multiple:
root@host2:~# cat /root/.ssh/authorized_keys command="commandname" ssh-rsa FBwfijwefwB(...etc...)
The solution is to set command to be a shell script:
command="/root/run_backup.sh" ssh-rsa FBwfijwefwB(...etc...)
Then, to let the shell script (located on host2) contain something like:
#!/bin/bash case "$SSH_ORIGINAL_COMMAND" in log) rdiff-backup --server --restrict-read-only /var/log ;; www) rdiff-backup --server --restrict-read-only /var/www ;; esac
One problem that remains is how to call the commands the right way using rdiff-backup. The above commands can be manually triggered by doing:
backupuser@host1:~$ ssh -i ~/mykey root@host2 log
…but this won’t work with rdiff-backup. The solution is to call the remote command as follows:
backupuser@host1:~$ rdiff-backup --remote-schema 'ssh -C %s log' host2::/var/log /my/local/backupdir/log
There you go!
Although left out of this write-up, host2:/root/.ssh/authorized_keys should also contain the additional security variables (like: from=”host1″,no-port-forwarding) as explained in the original tutorial.
If you have another backup task that you’d like to perform without the use of rdiff-backup, simply add it to the shell script on host2:
#!/bin/bash case "$SSH_ORIGINAL_COMMAND" in log) rdiff-backup --server --restrict-read-only /var/log ;; www) rdiff-backup --server --restrict-read-only /var/www ;; dumpdb) mysqldump -u backupuser -pPassword databasename ;; esac
Which can then be triggered from host1 using something like:
backupuser@host1:~$ ssh -i ~/mykey root@host2 dumpdb > /my/local/backupdir/dbdump.sql