Remote backups using ssh and dump
david.robillard at gmail.com
Fri Apr 4 19:40:58 UTC 2008
> Has anyone done this?
> I'm presently using rsync over ssh, but I think dump would be better if it will
> work. I've been reading the man page, but I'm wondering if anyone is doing
> this successfully and would like to share their cmdline.
We're not using dump over ssh but I was curious to know why you'd
prefer dump over rsync?
We're using rsync and it's been good to us. So, I'd like to share with
you our backup strategy. Just in case it can help you or anyone
running various UNIX flavors. We use FreeBSD, RedHat Enterprise Linux,
Ubuntu Linux and IBM AIX in this setup.
This is a disk to disk to tape scenario.
All clients are configured with a user called "backup" with a UID of
zero (so that he can read everything). It's shell is set to rssh which
in turn is configured to allow rsync only to the backup user. We limit
who can connect to each clients via sshd_conf's AllowUsers config.
Each client has the central backup server's special ssh key file
installed in ~backup/.ssh/authorized_keys edited to have
from="backup.domain.com", in it to restrict which machine can use this
The central FreeBSD backup server has ssh access to every clients and
has rsnapshot installed. We have an rsnapshot configuration for each
client. Each backup run is scheduled via the server's crontab. Backup
data is stored on the server's encrypted backup volume. The nice thing
about rsnapshot is that it uses efficient links to save disk space. In
the first run of a new client it takes the entire data set. But each
subsequent run only takes the changes. But the backup data is kept
online so you can actually browse it live and use scp/tar/rsync to
perform a restore. Be it a single file or the entire file system.
Using rsnapshot enables us to save a week's worth of data of all our
100+ machines without using more than 300Gb of disk space on the
backup server (lots of machines, but not much data, we're quite lucky
Each day, the backup data is passed with dd into OpenPGP before being
sent to tape with tar. This way our tapes are encrypted and impossible
to read without the appropriate password. That password is kept on an
encrypted file. We can therefore send our tapes off site with any
company knowing our data is safe. All the admins keep a detailed
howto and the important encrypted password files on a USB stick in
case the data center fails and we loose our wiki and the file server.
If anyone is interested in the exact configuration of this backup
setup, we have it all in a wiki, so it's easy to share it.
Hope that can help anyone,
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
More information about the freebsd-questions