Backup/Server/Dokumentation: Unterschied zwischen den Versionen
Zeile 418: | Zeile 418: | ||
# sftp u153662-sub1@u153662.your-storagebox.de | # sftp u153662-sub1@u153662.your-storagebox.de | ||
sftp> | sftp> | ||
Version vom 8. November 2020, 18:50 Uhr
Projektdokumentation Backup-Server
Protokoll
Dokumentation (max. 10 Seiten; max. 5MB groß)
Deckblatt (wird bei Seitenanzahl nicht mitgerechnet)
- Projektbezeichnung: Aufbau und Einrichtung eines Backup-Servers in einem LAN für Client-Backups und zusätzlich Einrichtung einer externen Backup-Lösung.
- Namen und Vornamen: Quies, Robert
- Prüfungsausschuss: ITSE 02
- Ausbildungsberuf: IT-Systemelektroniker
- Ausbildungsstätte bzw. Praktikumsbetrieb: itw gGmbH, Groninger Straße 25, 13347 Berlin bzw. Dirk Wagner Berlin, Carstennstraße 6, 12205 Berlin
Inhaltsverzeichnis (wird bei Seitenanzahl nicht mitgerechnet)
Einleitung
- Aufbau und Einrichtung eines Backup-Servers in einem LAN für Client-Backups und zusätzlich Einrichtung einer externen Backup-Lösung.
IST
- Internet-Zugang mit 1 Gbit/s
- Router: Betriebssystem: OPNsense
- Drei Clients: Betriebssystem: Debian GNU/Linux
- Das Backup wird bisher unregelmäßig direkt vom Client durchgeführt.
- Kein Backup-Server im LAN vorhanden.
- Das Datenvolumen der zu sichernden Daten beträgt bisher ca. 1 TB, soll aber sukzessive wachsen.
SOLL
- Ein zweistufiges Backup-System soll eingerichtet werden.
- Ein lokaler Server soll eingerichtet werden, auf dem die Daten der Clients im LAN gesichert werden.
- Zusätzlich soll ein externer Backup-Server angemietet werden, auf dem die Dateien des lokalen Servers verschlüsselt übertragen und in Archiven gesichert werden.
- Bestandteil der Lösung soll ein automatisierter Backup-Turnus sein.
- Die Hardware für den lokalen Backup-Server soll neu angeschafft werden.
Startphase
Projektplanung
Durchführungsphase
duply
Profil erstellen
duply <backupname> create
unter /root/.duply/backuptest/ werden die Dateien conf und exclude automatisch erstellt.
GPG Key erstellen
gpg --gen-key
oder
gpg --full-generate-key
Konsole
root@linsrv01:~# gpg --full-generate-key gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Bitte wählen Sie, welche Art von Schlüssel Sie möchten: (1) RSA und RSA (voreingestellt) (2) DSA und Elgamal (3) DSA (nur signieren/beglaubigen) (4) RSA (nur signieren/beglaubigen) Ihre Auswahl? 1 RSA-Schlüssel können zwischen 1024 und 4096 Bit lang sein. Welche Schlüssellänge wünschen Sie? (3072) 4096 Die verlangte Schlüssellänge beträgt 4096 Bit Bitte wählen Sie, wie lange der Schlüssel gültig bleiben soll. 0 = Schlüssel verfällt nie <n> = Schlüssel verfällt nach n Tagen <n>w = Schlüssel verfällt nach n Wochen <n>m = Schlüssel verfällt nach n Monaten <n>y = Schlüssel verfällt nach n Jahren Wie lange bleibt der Schlüssel gültig? (0) 1y Key verfällt am Do 04 Nov 2021 18:26:30 CET Ist dies richtig? (j/N) j GnuPG erstellt eine User-ID, um Ihren Schlüssel identifizierbar zu machen. Ihr Name ("Vorname Nachname"): Robert Quies Email-Adresse: raqju@web.de Kommentar: Es grünt so grün, wenn Spaniens Blüten blühn. Sie benutzen den Zeichensatz `utf-8' Sie haben diese User-ID gewählt: "Robert Quies (Es grünt so grün, wenn Spaniens Blüten blühn.) <raqju@web.de>" Ändern: (N)ame, (K)ommentar, (E)-Mail oder (F)ertig/(A)bbrechen? F Wir müssen eine ganze Menge Zufallswerte erzeugen. Sie können dies unterstützen, indem Sie z.B. in einem anderen Fenster/Konsole irgendetwas tippen, die Maus verwenden oder irgendwelche anderen Programme benutzen. Wir müssen eine ganze Menge Zufallswerte erzeugen. Sie können dies unterstützen, indem Sie z.B. in einem anderen Fenster/Konsole irgendetwas tippen, die Maus verwenden oder irgendwelche anderen Programme benutzen. gpg: /root/.gnupg/trustdb.gpg: trust-db erzeugt gpg: Schlüssel F47E1B7450082D11 ist als ultimativ vertrauenswürdig gekennzeichnet gpg: Verzeichnis `/root/.gnupg/openpgp-revocs.d' erzeugt gpg: Widerrufzertifikat wurde als '/root/.gnupg/openpgp-revocs.d /60E3D3C9ED78CE4A40322BBAF47E1B7450082D11.rev' gespeichert. Öffentlichen und geheimen Schlüssel erzeugt und signiert. pub rsa4096 2020-11-04 [SC] [verfällt: 2021-11-04] 60E3D3C9ED78CE4A40322BBAF47E1B7450082D11 uid Robert Quies (Es grünt so grün, wenn Spaniens Blüten blühn.) <raqju@web.de> sub rsa4096 2020-11-04 [E] [verfällt: 2021-11-04]
Key-ID anzeigen lassen
Private-Key
gpg --list-secret-keys --keyid-format LONG
Konsole
root@linsrv01:~# gpg --list-secret-keys --keyid-format LONG gpg: "Trust-DB" wird überprüft gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: Tiefe: 0 gültig: 1 signiert: 0 Vertrauen: 0-, 0q, 0n, 0m, 0f, 1u gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2021-11-04 /root/.gnupg/pubring.kbx ------------------------ sec rsa4096/F47E1B7450082D11 2020-11-04 [SC] [verfällt: 2021-11-04] 60E3D3C9ED78CE4A40322BBAF47E1B7450082D11 uid [ ultimativ ] Robert Quies (Es grünt so grün, wenn Spaniens Blüten blühn.) <raqju@web.de> ssb rsa4096/B2E20485FF7FC772 2020-11-04 [E] [verfällt: 2021-11-04]
Public-Key
gpg --list-keys --keyid-format LONG
Konsole
root@linsrv01:~# gpg --list-keys --keyid-format LONG /root/.gnupg/pubring.kbx ------------------------ pub rsa4096/F47E1B7450082D11 2020-11-04 [SC] [verfällt: 2021-11-04] 60E3D3C9ED78CE4A40322BBAF47E1B7450082D11 uid [ ultimativ ] Robert Quies (Es grünt so grün, wenn Spaniens Blüten blühn.) <raqju@web.de> sub rsa4096/B2E20485FF7FC772 2020-11-04 [E] [verfällt: 2021-11-04]
Konfiguration duply
vi /root/.duply/backuptest/conf
root@linsrv01:~# cat /root/.duply/backuptest/conf # gpg encryption settings, simple settings: # GPG_KEY='disabled' - disables encryption alltogether # GPG_KEY='<key1>[,<key2>]'; GPG_PW='pass' - encrypt with keys, # sign if secret key of key1 is available use GPG_PW for sign & decrypt # Note: you can specify keys via all methods described in gpg manpage, # section "How to specify a user ID", escape commas (,) via backslash (\) # e.g. 'Mueller, Horst', 'Bernd' -> 'Mueller\, Horst, Bernd' # as they are used to separate the entries # GPG_PW='passphrase' - symmetric encryption using passphrase only GPG_KEY='B2E20485FF7FC772 ' GPG_PW='roottutgut' # gpg encryption settings in detail (extended settings) # the above settings translate to the following more specific settings # GPG_KEYS_ENC='<keyid1>[,<keyid2>,...]' - list of pubkeys to encrypt to # GPG_KEY_SIGN='<keyid1>|disabled' - a secret key for signing # GPG_PW='<passphrase>' - needed for signing, decryption and symmetric # encryption. If you want to deliver different passphrases for e.g. # several keys or symmetric encryption plus key signing you can use # gpg-agent. Simply make sure that GPG_AGENT_INFO is set in environment. # also see "A NOTE ON SYMMETRIC ENCRYPTION AND SIGNING" in duplicity manpage # notes on en/decryption # private key and passphrase will only be needed for decryption or signing. # decryption happens on restore and incrementals (compare archdir contents). # for security reasons it makes sense to separate the signing key from the # encryption keys. https://answers.launchpad.net/duplicity/+question/107216 #GPG_KEYS_ENC='<pubkey1>,<pubkey2>,...' #GPG_KEY_SIGN='<prvkey>' # set if signing key passphrase differs from encryption (key) passphrase # NOTE: available since duplicity 0.6.14, translates to SIGN_PASSPHRASE #GPG_PW_SIGN='<signpass>' # uncomment and set a file path or name force duply to use this gpg executable # available in duplicity 0.7.04 and above (currently unreleased 06/2015) #GPG='/usr/local/gpg-2.1/bin/gpg' # gpg options passed from duplicity to gpg process (default=) # e.g. "--trust-model pgp|classic|direct|always" # or "--compress-algo=bzip2 --bzip2-compress-level=9" # or "--personal-cipher-preferences AES256,AES192,AES..." # or "--homedir ~/.duply" - keep keyring and gpg settings duply specific # or "--pinentry-mode loopback" - needed for GPG 2.1+ _and_ # also enable allow-loopback-pinentry in your .gnupg/gpg-agent.conf GPG_OPTS='--compress-algo=bzip2 --bzip2-compress-level=9 --personal- cipher-preferences AES256 # disable preliminary tests with the following setting #GPG_TEST='disabled' # backend, credentials & location of the backup target (URL-Format) # generic syntax is # scheme://[user[:password]@]host[:port]/[/]path # eg. # sftp://bob:secret@backupserver.com//home/bob/dupbkp # for details and available backends see duplicity manpage, section URL Format # http://duplicity.nongnu.org/duplicity.1.html#sect7 # BE AWARE: # some backends (cloudfiles, S3 etc.) need additional env vars to be set to # work properly, read after the TARGET definition for more details. # ATTENTION: # characters other than A-Za-z0-9.-_.~ in the URL have to be # replaced by their url encoded pendants, see # http://en.wikipedia.org/wiki/Url_encoding # if you define the credentials as TARGET_USER, TARGET_PASS below duply # will try to url_encode them for you if the need arises. TARGET='file:///home/user/zielbackup' # optionally the username/password can be defined as extra variables # setting them here _and_ in TARGET results in an error # ATTENTION: # there are backends that do not support the user/pass auth scheme. # prominent examples are S3, Azure, Cloudfiles. when in doubt consult the # duplicity manpage. usually there is a NOTE section explaining if and which # env vars should be set. #TARGET_USER='_backend_username_' #TARGET_PASS='_backend_password_' # eg. for cloud files backend it might look like this (uncomment for use!) #export CLOUDFILES_USERNAME='someuser' #export CLOUDFILES_APIKEY='somekey' #export CLOUDFILES_AUTHURL ='someurl' # the following is an incomplete list (<backend>: comma separated env vars list) # Azure: AZURE_ACCOUNT_NAME, AZURE_ACCOUNT_KEY # Cloudfiles: CLOUDFILES_USERNAME, CLOUDFILES_APIKEY, CLOUDFILES_AUTHURL # Google Cloud Storage: GS_ACCESS_KEY_ID, GS_SECRET_ACCESS_KEY # Pydrive: GOOGLE_DRIVE_ACCOUNT_KEY, GOOGLE_DRIVE_SETTINGS # S3: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY # Swift: SWIFT_USERNAME, SWIFT_PASSWORD, SWIFT_AUTHURL, # SWIFT_TENANTNAME OR SWIFT_PREAUTHURL, SWIFT_PREAUTHTOKEN # base directory to backup SOURCE='/' # a command that runs duplicity e.g. # shape bandwidth use via trickle # "trickle -s -u 640 -d 5120" # 5Mb up, 40Mb down" #DUPL_PRECMD="" # override the used python interpreter, defaults to # - parsed result of duplicity's shebang or 'python2' # e.g. "python2" or "/usr/bin/python2.7" #PYTHON="python" # exclude folders containing exclusion file (since duplicity 0.5.14) # Uncomment the following two lines to enable this setting. #FILENAME='.duplicity-ignore' #DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'" # Time frame for old backups to keep, Used for the "purge" command. # see duplicity man page, chapter TIME_FORMATS) MAX_AGE=1M # Number of full backups to keep. Used for the "purgeFull" command. # See duplicity man page, action "remove-all-but-n-full". MAX_FULL_BACKUPS=1 # Number of full backups for which incrementals will be kept for. # Used for the "purgeIncr" command. # See duplicity man page, action "remove-all-inc-of-but-n-full". #MAX_FULLS_WITH_INCRS=1 # activates duplicity --full-if-older-than option (since duplicity v0.4.4.RC3) # forces a full backup if last full backup reaches a specified age, for the # format of MAX_FULLBKP_AGE see duplicity man page, chapter TIME_FORMATS # Uncomment the following two lines to enable this setting. #MAX_FULLBKP_AGE=1M #DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE " # sets duplicity --volsize option (available since v0.4.3.RC7) # set the size of backup chunks to VOLSIZE MB instead of the default 25MB. # VOLSIZE must be number of MB's to set the volume size to. # Uncomment the following two lines to enable this setting. VOLSIZE=100 DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE " # verbosity of output (error 0, warning 1-2, notice 3-4, info 5-8, debug 9) # default is 4, if not set VERBOSITY=8 # temporary file space. at least the size of the biggest file in backup # for a successful restoration process. (default is '/tmp', if not set) #TEMP_DIR=/tmp # Modifies archive-dir option (since 0.6.0) Defines a folder that holds # unencrypted meta data of the backup, enabling new incrementals without the # need to decrypt backend metadata first. If empty or deleted somehow, the # private key and it's password are needed. # NOTE: This is confidential data. Put it somewhere safe. It can grow quite # big over time so you might want to put it not in the home dir. # default '~/.cache/duplicity/duply_<profile>/' # if set '${ARCH_DIR}/<profile>' #ARCH_DIR=/some/space/safe/.duply-cache # DEPRECATED setting # sets duplicity --time-separator option (since v0.4.4.RC2) to allow users # to change the time separator from ':' to another character that will work # on their system. HINT: For Windows SMB shares, use --time-separator='_'. # NOTE: '-' is not valid as it conflicts with date separator. # ATTENTION: only use this with duplicity < 0.5.10, since then default file # naming is compatible and this option is pending depreciation #DUPL_PARAMS="$DUPL_PARAMS --time-separator _ " # DEPRECATED setting # activates duplicity --short-filenames option, when uploading to a file # system that can't have filenames longer than 30 characters (e.g. Mac OS 8) # or have problems with ':' as part of the filename (e.g. Microsoft Windows) # ATTENTION: only use this with duplicity < 0.5.10, later versions default file # naming is compatible and this option is pending depreciation #DUPL_PARAMS="$DUPL_PARAMS --short-filenames " # more duplicity command line options can be added in the following way # don't forget to leave a separating space char at the end #DUPL_PARAMS="$DUPL_PARAMS --put_your_options_here "
Konfiguration exclude
root@linsrv01:~# cat /root/.duply/backuptest/exclude # although called exclude, this file is actually a globbing file list # duplicity accepts some globbing patterns, even including ones here # here is an example, this incl. only 'dir/bar' except it's subfolder 'foo' # - dir/bar/foo # + dir/bar # - ** # for more details see duplicity manpage, section File Selection # http://duplicity.nongnu.org/duplicity.1.html#sect9
+ /etc - **
Fehlermeldung
-beim Versuch Backup manuell zu erestellen Befehl
# duply /root/.duply/backup007 full_verify_purge --force
neuer Fehler
root@linsrv01:~# /usr/bin/duply /root/.duply/backuptest full_verify_purge --force Start duply v2.1, time is 2020-11-04 19:52:32. /root/.duply/backuptest/conf: Zeile 96: shebang: Kommando nicht gefunden. Using profile '/root/.duply/backuptest'. Sorry. A fatal ERROR occured: Source Path (setting SOURCE) not set or still default value in conf file '/root/.duply/backuptest/conf'.
Meldung
[GNUPG:] PINENTRY_LAUNCHED 23758 curses 1.1.0 - linux - gpg: Beglaubigung fehlgeschlagen: Unpassender IOCTL (I/O-Control) für das Gerät [GNUPG:] BEGIN_ENCRYPTION 2 9 [GNUPG:] FAILURE sign-encrypt 83918950 gpg: /usr/bin/duply: sign+encrypt failed: Unpassender IOCTL (I/O-Control) für das Gerät
Lösung
echo use-agent >> ~/.gnupg/gpg.conf echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf echo allow-loopback-pinentry >> ~/.gnupg/gpg-agent.conf
GPG
Verbindung per ssh: interner Backup-Server zu externem Backup-Server
Neues SSH-Schlüsselpaar generieren
# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:3ZeuQsMoEyjbiFkgf+GsWabX7dugttaCoM1fZTySTao root@linsrv01 The key's randomart image is: +---[RSA 2048]----+ | | |o . | |.o o o . | | + B .* . . . | | + % .+oSo. . o | |o B o.++o.+ o | | + oE..=.. . . | |. o ..+.oo. . | | ..ooo..... | +----[SHA256]-----+
Wichtig: Damit das Einloggen später automatisch, d.h. hier ohne Passphrasenabfrage, funktioniert, einfach bei den Punkten
-Enter passphrase (empty for no passphrase):
-Enter same passphrase again:
nichts eingeben.
Das macht den Private-Key etwas unsicherer, ist aber in der Abwägung Praktikabilität zu Sicherheit zu verkraften.
authorized_keys-Datei erstellen
# cat /root/.ssh/id_rsa.pub >> /root/.ssh/storagebox_authorized_keys
authorized_keys-Datei hochladen
# echo -e "mkdir .ssh \n chmod 700 .ssh \n put /root/.ssh/storagebox_authorized_keys .ssh/authorized_keys \n chmod 600 .ssh/authorized_keys" | sftp -P23 u153662-sub1@u153662.your-storagebox.de u153662-sub1@u153662.your-storagebox.de's password: Connected to u153662-sub1@u153662.your-storagebox.de. sftp> mkdir .ssh sftp> chmod 700 .ssh Changing mode on /home/.ssh sftp> put /root/.ssh/storagebox_authorized_keys /home/.ssh/storagebox_authorized_keys Uploading /root/.ssh/storagebox_authorized_keys to /home/.ssh/storagebox_authorized_keys /root/.ssh/storagebox_authorized_keys 100% 395 13.5KB/s 00:00 sftp> chmod 600 /home/.ssh/storagebox_authorized_keys Changing mode on /home/.ssh/storagebox_authorized_keys
- Erneut auf externen Server einloggen und die Passphrase eingeben.
# sftp u153662-sub1@u153662.your-storagebox.de sftp>
Abschlussphase
Fazit
- Reflexion
- Abweichungen SOLL zu IST
- Verbesserungpotential aufzeigen
- Ergebnisse darstellen
Quellen
- https://wiki.ubuntuusers.de/rsnapshot/
- https://www.thomas-krenn.com/de/wiki/Backup_unter_Linux_mit_duply
- https://wiki.ubuntuusers.de/GnuPG/
Anhang (max. 10 Seiten)
- Angebot interner Backup-Server
- Angebot externer Backup-Server
- Kundenauftrag
- Raumplan
- Netzwerkplan
- Skizzen
- Schaltplan?
- Config-Datei rsnapshot
- Config-Datei duply
- Ablauf GPG: Schlüsselerstellung
- Fotos
- Messprotokolle