HOWTO: Unattended rdiff-backup + multiple commands

Here’s a small addition to Dean Gaudet’s tutorial on how to set up rdiff-backup for secure, unattended remote backups.

The scenario: you want host1 to pull backups from:

host2 : /var/log
host2 : /var/www

You’ve set everything up:

  • A non-root user on host1 called backupuser which initiates the backup
  • SSH private/public keys for backupuser
  • Added backupuser’s public key to host2:/root/.ssh/authorized_keys
  • An entry for host2 preconfigured in host1:~/.ssh/config as explained in the original tutorial.

Then you find out that in authorized_keys, you can only limit backupuser to run one command, not multiple:

root@host2:~# cat /root/.ssh/authorized_keys
command="commandname" ssh-rsa FBwfijwefwB(...etc...)

The solution is to set command to be a shell script:

command="/root/run_backup.sh" ssh-rsa FBwfijwefwB(...etc...)

Then, to let the shell script (located on host2) contain something like:

#!/bin/bash

case "$SSH_ORIGINAL_COMMAND" in
    log)
        rdiff-backup --server --restrict-read-only /var/log
        ;;
    www)
        rdiff-backup --server --restrict-read-only /var/www
        ;;
esac

One problem that remains is how to call the commands the right way using rdiff-backup. The above commands can be manually triggered by doing:

backupuser@host1:~$ ssh -i ~/mykey root@host2 log

…but this won’t work with rdiff-backup. The solution is to call the remote command as follows:

backupuser@host1:~$ rdiff-backup --remote-schema 'ssh -C %s log' host2::/var/log /my/local/backupdir/log

There you go!

Other ideas

Although left out of this write-up, host2:/root/.ssh/authorized_keys should also contain the additional security variables (like: from=”host1″,no-port-forwarding) as explained in the original tutorial.

If you have another backup task that you’d like to perform without the use of rdiff-backup, simply add it to the shell script on host2:

#!/bin/bash

case "$SSH_ORIGINAL_COMMAND" in
    log)
        rdiff-backup --server --restrict-read-only /var/log
        ;;
    www)
        rdiff-backup --server --restrict-read-only /var/www
        ;;
    dumpdb)
        mysqldump -u backupuser -pPassword databasename
        ;;
esac

Which can then be triggered from host1 using something like:

backupuser@host1:~$ ssh -i ~/mykey root@host2 dumpdb > /my/local/backupdir/dbdump.sql