Duply
Ein einfaches Python-Script zur Erstellung von inkrementellen, symmetrisch verschlüsselten Backups auf Dateiebene.
duply
- Ist ein Frontend von duplicity.
- Erstellte Backups können sowohl lokal am gesicherten Rechner, als auch entfernt (remote) auf einem anderen System gespeichert werden.
- Unterstützt ftp, ssh, s3, rsync, cifs, webdav, http.
Installation
# apt install duply
Konfiguration
Neues duply-Profil erstellen
# duply <backupname> create
Ein duply-Profil wird im Home-Verzeichnis des Benutzers unter ~/.duply/ automatisch angelegt und besteht aus den folgenden Dateien:
- gpg-key.asc (Optional, nur wenn ein gpg-key exportiert wurde.)
- conf
- pre und post
- exclude
GPG-Key erstellen
Während der Erstellung des Keys ist es ratsam andere Arbeiten auf dem Host durchzuführen, um die Entropie am System zu erhöhen, z.B. durch schnelles Bewegen der Maus und/oder das Eintippen auf der Tastatur.
Dies beschleunigt das Erstellen des Keys, weil dem Host schneller Zufallswerte (Random) zur Verfügung stehen, die für das Erstellen des Keys benötigt werden.
gpg --gen-key
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Example User
Email address: email@example.com
Comment: Example Comment
You selected this USER-ID: "Example User <email@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 253 more bytes)
..........+++++
gpg: key 9627014B marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub 4096R/9627014B 2013-06-07
Key fingerprint = 705D B57E 8526 FB24 360E E54D 13A1 AC6B 9627 014B
uid Example User <email@example.com>
sub 4096R/DB7D5661 2013-06-07
conf-Datei
Wichtig: Aufbau und Inhalt von automatisch erstellten conf-Dateien können sich teilweise unterscheiden, z.B. ist die Liste der unterstützten Protokolle und deren Syntax in manchen mit dabei, bei manchen wiederum nicht.
Aufrufen der conf-Datei
Hier unter /root/.duply/backup/conf.
# vi /root/.duply/backup/conf
# gpg encryption settings, simple settings:
# GPG_KEY='disabled' - disables encryption alltogether
# GPG_KEY='<key1>[,<key2>]'; GPG_PW='pass' - encrypt with keys,
# sign if secret key of key1 is available use GPG_PW for sign & decrypt
# Note: you can specify keys via all methods described in gpg manpage,
# section "How to specify a user ID", escape commas (,) via backslash (\)
# e.g. 'Mueller, Horst', 'Bernd' -> 'Mueller\, Horst, Bernd'
# as they are used to separate the entries
# GPG_PW='passphrase' - symmetric encryption using passphrase only
GPG_KEY='_KEY_ID_'
GPG_PW='_GPG_PASSWORD_'
# gpg encryption settings in detail (extended settings)
# the above settings translate to the following more specific settings
# GPG_KEYS_ENC='<keyid1>[,<keyid2>,...]' - list of pubkeys to encrypt to
# GPG_KEY_SIGN='<keyid1>|disabled' - a secret key for signing
# GPG_PW='<passphrase>' - needed for signing, decryption and symmetric
# encryption. If you want to deliver different passphrases for e.g.
# several keys or symmetric encryption plus key signing you can use
# gpg-agent. Simply make sure that GPG_AGENT_INFO is set in environment.
# also see "A NOTE ON SYMMETRIC ENCRYPTION AND SIGNING" in duplicity manpage
# notes on en/decryption
# private key and passphrase will only be needed for decryption or signing.
# decryption happens on restore and incrementals (compare archdir contents).
# for security reasons it makes sense to separate the signing key from the
# encryption keys. https://answers.launchpad.net/duplicity/+question/107216
#GPG_KEYS_ENC='<pubkey1>,<pubkey2>,...'
#GPG_KEY_SIGN='<prvkey>'
# set if signing key passphrase differs from encryption (key) passphrase
# NOTE: available since duplicity 0.6.14, translates to SIGN_PASSPHRASE
#GPG_PW_SIGN='<signpass>'
# uncomment and set a file path or name force duply to use this gpg executable
# available in duplicity 0.7.04 and above (currently unreleased 06/2015)
#GPG='/usr/local/gpg-2.1/bin/gpg'
# gpg options passed from duplicity to gpg process (default=)
# e.g. "--trust-model pgp|classic|direct|always"
# or "--compress-algo=bzip2 --bzip2-compress-level=9"
# or "--personal-cipher-preferences AES256,AES192,AES..."
# or "--homedir ~/.duply" - keep keyring and gpg settings duply specific
# or "--pinentry-mode loopback" - needed for GPG 2.1+ _and_
# also enable allow-loopback-pinentry in your .gnupg/gpg-agent.conf
#GPG_OPTS=
# disable preliminary tests with the following setting
#GPG_TEST='disabled'
# backend, credentials & location of the backup target (URL-Format)
# generic syntax is
# scheme://[user[:password]@]host[:port]/[/]path
# eg.
# sftp://bob:secret@backupserver.com//home/bob/dupbkp
# for details and available backends see duplicity manpage, section URL Format
# http://duplicity.nongnu.org/duplicity.1.html#sect7
# listing of some supported protocols and their syntax
# file://[/absolute_]path
# ftp[s]://user[:password]@other.host[:port]/some_dir
# hsi://user[:password]@other.host/some_dir
# cf+http://container_name
# imap[s]://user[:password]@host.com[/from_address_prefix]
# rsync://user[:password]@other.host[:port]::/module/some_dir
# # rsync over ssh (only keyauth)
# rsync://user@other.host[:port]/relative_path
# rsync://user@other.host[:port]//absolute_path
# # for the s3 user/password are AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY
# s3://[user:password]@host/bucket_name[/prefix]
# s3+http://[user:password]@bucket_name[/prefix]
# # scp and sftp are aliases for the ssh backend
# ssh://user[:password]@other.host[:port]/some_dir
# tahoe://alias/directory
# webdav[s]://user[:password]@other.host/some_dir
# BE AWARE:
# some backends (cloudfiles, S3 etc.) need additional env vars to be set to
# work properly, read after the TARGET definition for more details.
# ATTENTION:
# characters other than A-Za-z0-9.-_.~ in the URL have to be
# replaced by their url encoded pendants, see
# http://en.wikipedia.org/wiki/Url_encoding
# if you define the credentials as TARGET_USER, TARGET_PASS below duply
# will try to url_encode them for you if the need arises.
TARGET='scheme://user[:password]@host[:port]/[/]path'
# optionally the username/password can be defined as extra variables
# setting them here _and_ in TARGET results in an error
# ATTENTION:
# there are backends that do not support the user/pass auth scheme.
# prominent examples are S3, Azure, Cloudfiles. when in doubt consult the
# duplicity manpage. usually there is a NOTE section explaining if and which
# env vars should be set.
#TARGET_USER='_backend_username_'
#TARGET_PASS='_backend_password_'
# eg. for cloud files backend it might look like this (uncomment for use!)
#export CLOUDFILES_USERNAME='someuser'
#export CLOUDFILES_APIKEY='somekey'
#export CLOUDFILES_AUTHURL ='someurl'
# the following is an incomplete list (<backend>: comma separated env vars list)
# Azure: AZURE_ACCOUNT_NAME, AZURE_ACCOUNT_KEY
# Cloudfiles: CLOUDFILES_USERNAME, CLOUDFILES_APIKEY, CLOUDFILES_AUTHURL
# Google Cloud Storage: GS_ACCESS_KEY_ID, GS_SECRET_ACCESS_KEY
# Pydrive: GOOGLE_DRIVE_ACCOUNT_KEY, GOOGLE_DRIVE_SETTINGS
# S3: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
# Swift: SWIFT_USERNAME, SWIFT_PASSWORD, SWIFT_AUTHURL,
# SWIFT_TENANTNAME OR SWIFT_PREAUTHURL, SWIFT_PREAUTHTOKEN
# base directory to backup
SOURCE='/path/of/source'
# a command that runs duplicity e.g.
# shape bandwidth use via trickle
# "trickle -s -u 640 -d 5120" # 5Mb up, 40Mb down"
#DUPL_PRECMD=""
# override the used python interpreter, defaults to
# - parsed result of duplicity's shebang or 'python2'
# e.g. "python2" or "/usr/bin/python2.7"
#PYTHON="python"
# exclude folders containing exclusion file (since duplicity 0.5.14)
# Uncomment the following two lines to enable this setting.
#FILENAME='.duplicity-ignore'
#DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
# Time frame for old backups to keep, Used for the "purge" command.
# see duplicity man page, chapter TIME_FORMATS)
#MAX_AGE=1M
# Number of full backups to keep. Used for the "purgeFull" command.
# See duplicity man page, action "remove-all-but-n-full".
#MAX_FULL_BACKUPS=1
# Number of full backups for which incrementals will be kept for.
# Used for the "purgeIncr" command.
# See duplicity man page, action "remove-all-inc-of-but-n-full".
#MAX_FULLS_WITH_INCRS=1
# activates duplicity --full-if-older-than option (since duplicity v0.4.4.RC3)
# forces a full backup if last full backup reaches a specified age, for the
# format of MAX_FULLBKP_AGE see duplicity man page, chapter TIME_FORMATS
# Uncomment the following two lines to enable this setting.
#MAX_FULLBKP_AGE=1M
#DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
# sets duplicity --volsize option (available since v0.4.3.RC7)
# set the size of backup chunks to VOLSIZE MB instead of the default 25MB.
# VOLSIZE must be number of MB's to set the volume size to.
# Uncomment the following two lines to enable this setting.
#VOLSIZE=50
#DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "
# verbosity of output (error 0, warning 1-2, notice 3-4, info 5-8, debug 9)
# default is 4, if not set
#VERBOSITY=5
# temporary file space. at least the size of the biggest file in backup
# for a successful restoration process. (default is '/tmp', if not set)
#TEMP_DIR=/tmp
# Modifies archive-dir option (since 0.6.0) Defines a folder that holds
# unencrypted meta data of the backup, enabling new incrementals without the
# need to decrypt backend metadata first. If empty or deleted somehow, the
# private key and it's password are needed.
# NOTE: This is confidential data. Put it somewhere safe. It can grow quite
# big over time so you might want to put it not in the home dir.
# default '~/.cache/duplicity/duply_<profile>/'
# if set '${ARCH_DIR}/<profile>'
#ARCH_DIR=/some/space/safe/.duply-cache
# DEPRECATED setting
# sets duplicity --time-separator option (since v0.4.4.RC2) to allow users
# to change the time separator from ':' to another character that will work
# on their system. HINT: For Windows SMB shares, use --time-separator='_'.
# NOTE: '-' is not valid as it conflicts with date separator.
# ATTENTION: only use this with duplicity < 0.5.10, since then default file
# naming is compatible and this option is pending depreciation
#DUPL_PARAMS="$DUPL_PARAMS --time-separator _ "
# DEPRECATED setting
# activates duplicity --short-filenames option, when uploading to a file
# system that can't have filenames longer than 30 characters (e.g. Mac OS 8)
# or have problems with ':' as part of the filename (e.g. Microsoft Windows)
# ATTENTION: only use this with duplicity < 0.5.10, later versions default file
# naming is compatible and this option is pending depreciation
#DUPL_PARAMS="$DUPL_PARAMS --short-filenames "
# more duplicity command line options can be added in the following way
# don't forget to leave a separating space char at the end
#DUPL_PARAMS="$DUPL_PARAMS --put_your_options_here "
Symmetrische Verschlüsselung einrichten
Key-ID und das Passwort des GPG-Keys müssen dafür hinterlegt werden.
Hier lautet die Key-ID 9627014B (siehe letzte 4 Zeilen aus 3.2 GPG-Key erstellen).
GPG_KEY='9627014B' GPG_PW='_GPG_PASSWORD_'
Kompression und Art der Verschlüsselung festlegen
Zusätzlich können in GPG_OPTS= weitere Optionen zur Kompression und Art der Verschlüsselung gesetzt werden.
GPG_OPTS='--compress-algo=bzip2 --personal-cipher-preferences AES256,AES192'
De-/Aktivieren der Überprüfung GPG-Key und Passphrase
duply prüft vor jeder Aktion ob der GPG-Key gültig ist und die Passphrase korrekt ist.
Dies kann durch die Option GPG_TEST='disabled' unterbunden werden.
Aktiviert
GPG_TEST='disabled'
Deaktiviert
# GPG_TEST='disabled'
Ziel und Quelle des Backups festlegen
Allgemeine Syntax des hosts
scheme://[user:password@]host[:port]/[/]path
Protokoll zur Datenübertragung festlegen
duply versteht alle gängigen Protokolle zur Datenübertragung.
In der conf-Datei befindet sich meistens eine Liste der wichtigsten unterstützten Protokolle und deren Syntax.
# file://[/absolute_]path # ftp[s]://user[:password]@other.host[:port]/some_dir # hsi://user[:password]@other.host/some_dir # cf+http://container_name # imap[s]://user[:password]@host.com[/from_address_prefix] # rsync://user[:password]@other.host[:port]::/module/some_dir # # rsync over ssh (only keyauth) # rsync://user@other.host[:port]/relative_path # rsync://user@other.host[:port]//absolute_path # # for the s3 user/password are AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY # s3://[user:password]@host/bucket_name[/prefix] # s3+http://[user:password]@bucket_name[/prefix] # # scp and sftp are aliases for the ssh backend # ssh://user[:password]@other.host[:port]/some_dir # tahoe://alias/directory # webdav[s]://user[:password]@other.host/some_dir
Hier ist anzumerken, dass Sonderzeichen urlencoded eingetragen werden müssen, außer sie werden in den Parametern TARGET_USER, TARGET_PASS eingetragen.
TARGET='scheme://user[:password]@host[:port]/[/]path'
Als nächstes kann mit der Option SOURCE= das Root-Verzeichnis für das Backup gesetzt werden.
Soll ein Backup aus mehreren Unterordnern von / bestehen (Bsp.: /etc /var /home sollen gesichert werden), so muss die SOURCE Variable auf / gesetzt werden.
SOURCE='/'
Die Folgenden Parameter kontrollieren das maximale Alter und die Anzahl der vollständigen Backups die duply behalten soll.
Hier ist anzumerken, dass duply keine Backups löscht, sofern man es nicht anfordert.
Mit MAX_AGE wird das maximale Alter von Backups bestimmt.
MAX_AGE=1Y
Mit MAX_FULL_BACKUPS kann bestimmt werden wieviele Full-Backups duply maximal behält.
MAX_FULL_BACKUPS=5
Alternativ kann mit MAX_FULLBKP_AGE spezifiert werden, wie alt ein Full-Backup sein darf, bevor ein neues Full-Backup erstellt wird.
MAX_FULLBKP_AGE=2W DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
Um den durch eventuelle Übertragungsfehler entstehenden Zeitverlust einzuschränken teilt duply standardmäßig seine Backups in 25 MB große Dateien.
Dies kann mit dem VOLSIZE Parameter geändert werden.
VOLSIZE=10 DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "
Weiter lassen sich noch optionale Parameter wie VERBOSITY und TEMP_DIR setzen.
conf-Datei befüllt
# gpg encryption settings, simple settings:
# GPG_KEY='disabled' - disables encryption alltogether
# GPG_KEY='<key1>[,<key2>]'; GPG_PW='pass' - encrypt with keys,
# sign if secret key of key1 is available use GPG_PW for sign & decrypt
# Note: you can specify keys via all methods described in gpg manpage,
# section "How to specify a user ID", escape commas (,) via backslash (\)
# e.g. 'Mueller, Horst', 'Bernd' -> 'Mueller\, Horst, Bernd'
# as they are used to separate the entries
# GPG_PW='passphrase' - symmetric encryption using passphrase only
GPG_KEY='9627014B'
GPG_PW='_GPG_PASSWORD_'
# gpg encryption settings in detail (extended settings)
# the above settings translate to the following more specific settings
# GPG_KEYS_ENC='<keyid1>[,<keyid2>,...]' - list of pubkeys to encrypt to
# GPG_KEY_SIGN='<keyid1>|disabled' - a secret key for signing
# GPG_PW='<passphrase>' - needed for signing, decryption and symmetric
# encryption. If you want to deliver different passphrases for e.g.
# several keys or symmetric encryption plus key signing you can use
# gpg-agent. Simply make sure that GPG_AGENT_INFO is set in environment.
# also see "A NOTE ON SYMMETRIC ENCRYPTION AND SIGNING" in duplicity manpage
# notes on en/decryption
# private key and passphrase will only be needed for decryption or signing.
# decryption happens on restore and incrementals (compare archdir contents).
# for security reasons it makes sense to separate the signing key from the
# encryption keys. https://answers.launchpad.net/duplicity/+question/107216
#GPG_KEYS_ENC='<pubkey1>,<pubkey2>,...'
#GPG_KEY_SIGN='<prvkey>'
# set if signing key passphrase differs from encryption (key) passphrase
# NOTE: available since duplicity 0.6.14, translates to SIGN_PASSPHRASE
#GPG_PW_SIGN='<signpass>'
# uncomment and set a file path or name force duply to use this gpg executable
# available in duplicity 0.7.04 and above (currently unreleased 06/2015)
#GPG='/usr/local/gpg-2.1/bin/gpg'
# gpg options passed from duplicity to gpg process (default='')
# e.g. "--trust-model pgp|classic|direct|always"
# or "--compress-algo=bzip2 --bzip2-compress-level=9"
# or "--personal-cipher-preferences AES256,AES192,AES..."
# or "--homedir ~/.duply" - keep keyring and gpg settings duply specific
# or "--pinentry-mode loopback" - needed for GPG 2.1+ _and_
# also enable allow-loopback-pinentry in your .gnupg/gpg-agent.conf
'''GPG_OPTS='--compress-algo=bzip2 --personal-cipher-preferences AES256,AES192''''
# disable preliminary tests with the following setting
'''GPG_TEST='disabled''''
# backend, credentials & location of the backup target (URL-Format)
# generic syntax is
# scheme://[user[:password]@]host[:port]/[/]path
# eg.
# <nowiki>sftp://bob:secret@backupserver.com//home/bob/dupbkp
# for details and available backends see duplicity manpage, section URL Format
# http://duplicity.nongnu.org/duplicity.1.html#sect7
# listing of some supported protocols and their syntax
# file://[/absolute_]path
# ftp[s]://user[:password]@other.host[:port]/some_dir
# hsi://user[:password]@other.host/some_dir
# cf+http://container_name
# imap[s]://user[:password]@host.com[/from_address_prefix]
# rsync://user[:password]@other.host[:port]::/module/some_dir
# # rsync over ssh (only keyauth)
# rsync://user@other.host[:port]/relative_path
# rsync://user@other.host[:port]//absolute_path
# # for the s3 user/password are AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY
# s3://[user:password]@host/bucket_name[/prefix]
# s3+http://[user:password]@bucket_name[/prefix]
# # scp and sftp are aliases for the ssh backend
# ssh://user[:password]@other.host[:port]/some_dir
# tahoe://alias/directory
# webdav[s]://user[:password]@other.host/some_dir
# BE AWARE:
# some backends (cloudfiles, S3 etc.) need additional env vars to be set to
# work properly, read after the TARGET definition for more details.
# ATTENTION:
# characters other than A-Za-z0-9.-_.~ in the URL have to be
# replaced by their url encoded pendants, see
# http://en.wikipedia.org/wiki/Url_encoding
# if you define the credentials as TARGET_USER, TARGET_PASS below duply
# will try to url_encode them for you if the need arises.
TARGET='scheme://user[:password]@host[:port]/[/]path'
# optionally the username/password can be defined as extra variables
# setting them here _and_ in TARGET results in an error
# ATTENTION:
# there are backends that do not support the user/pass auth scheme.
# prominent examples are S3, Azure, Cloudfiles. when in doubt consult the
# duplicity manpage. usually there is a NOTE section explaining if and which
# env vars should be set.
#TARGET_USER='_backend_username_'
#TARGET_PASS='_backend_password_'
# eg. for cloud files backend it might look like this (uncomment for use!)
#export CLOUDFILES_USERNAME='someuser'
#export CLOUDFILES_APIKEY='somekey'
#export CLOUDFILES_AUTHURL ='someurl'
# the following is an incomplete list (<backend>: comma separated env vars list)
# Azure: AZURE_ACCOUNT_NAME, AZURE_ACCOUNT_KEY
# Cloudfiles: CLOUDFILES_USERNAME, CLOUDFILES_APIKEY, CLOUDFILES_AUTHURL
# Google Cloud Storage: GS_ACCESS_KEY_ID, GS_SECRET_ACCESS_KEY
# Pydrive: GOOGLE_DRIVE_ACCOUNT_KEY, GOOGLE_DRIVE_SETTINGS
# S3: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
# Swift: SWIFT_USERNAME, SWIFT_PASSWORD, SWIFT_AUTHURL,
# SWIFT_TENANTNAME OR SWIFT_PREAUTHURL, SWIFT_PREAUTHTOKEN
# base directory to backup
SOURCE='/path/of/source'
# a command that runs duplicity e.g.
# shape bandwidth use via trickle
# "trickle -s -u 640 -d 5120" # 5Mb up, 40Mb down"
#DUPL_PRECMD=""
# override the used python interpreter, defaults to
# - parsed result of duplicity's shebang or 'python2'
# e.g. "python2" or "/usr/bin/python2.7"
#PYTHON="python"
# exclude folders containing exclusion file (since duplicity 0.5.14)
# Uncomment the following two lines to enable this setting.
#FILENAME='.duplicity-ignore'
#DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
# Time frame for old backups to keep, Used for the "purge" command.
# see duplicity man page, chapter TIME_FORMATS)
#MAX_AGE=1M
# Number of full backups to keep. Used for the "purgeFull" command.
# See duplicity man page, action "remove-all-but-n-full".
#MAX_FULL_BACKUPS=1
# Number of full backups for which incrementals will be kept for.
# Used for the "purgeIncr" command.
# See duplicity man page, action "remove-all-inc-of-but-n-full".
#MAX_FULLS_WITH_INCRS=1
# activates duplicity --full-if-older-than option (since duplicity v0.4.4.RC3)
# forces a full backup if last full backup reaches a specified age, for the
# format of MAX_FULLBKP_AGE see duplicity man page, chapter TIME_FORMATS
# Uncomment the following two lines to enable this setting.
#MAX_FULLBKP_AGE=1M
#DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
# sets duplicity --volsize option (available since v0.4.3.RC7)
# set the size of backup chunks to VOLSIZE MB instead of the default 25MB.
# VOLSIZE must be number of MB's to set the volume size to.
# Uncomment the following two lines to enable this setting.
#VOLSIZE=50
#DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "
# verbosity of output (error 0, warning 1-2, notice 3-4, info 5-8, debug 9)
# default is 4, if not set
#VERBOSITY=5
# temporary file space. at least the size of the biggest file in backup
# for a successful restoration process. (default is '/tmp', if not set)
#TEMP_DIR=/tmp
# Modifies archive-dir option (since 0.6.0) Defines a folder that holds
# unencrypted meta data of the backup, enabling new incrementals without the
# need to decrypt backend metadata first. If empty or deleted somehow, the
# private key and it's password are needed.
# NOTE: This is confidential data. Put it somewhere safe. It can grow quite
# big over time so you might want to put it not in the home dir.
# default '~/.cache/duplicity/duply_<profile>/'
# if set '${ARCH_DIR}/<profile>'
#ARCH_DIR=/some/space/safe/.duply-cache
# DEPRECATED setting
# sets duplicity --time-separator option (since v0.4.4.RC2) to allow users
# to change the time separator from ':' to another character that will work
# on their system. HINT: For Windows SMB shares, use --time-separator='_'.
# NOTE: '-' is not valid as it conflicts with date separator.
# ATTENTION: only use this with duplicity < 0.5.10, since then default file
# naming is compatible and this option is pending depreciation
#DUPL_PARAMS="$DUPL_PARAMS --time-separator _ "
# DEPRECATED setting
# activates duplicity --short-filenames option, when uploading to a file
# system that can't have filenames longer than 30 characters (e.g. Mac OS 8)
# or have problems with ':' as part of the filename (e.g. Microsoft Windows)
# ATTENTION: only use this with duplicity < 0.5.10, later versions default file
# naming is compatible and this option is pending depreciation
#DUPL_PARAMS="$DUPL_PARAMS --short-filenames "
# more duplicity command line options can be added in the following way
# don't forget to leave a separating space char at the end
#DUPL_PARAMS="$DUPL_PARAMS --put_your_options_here "
Pre- und Post-Skripte
duply erlaubt die Verwendung von Pre- und Post-Skripten.
Das pre-Skript wird direkt vor dem Backup ausgeführt, das post-Skript direkt nach dem Backup.
Mit diesen Skripten können beispielsweise Snapshots von LVM-Volumes oder Dumps von SQL Datenbanken gemacht und in das Backup einbezogen werden.
Die files pre und post müssen im jeweiligen duply Verzeichnis liegen (Bsp.: /home/user/.duply/backup/) und ausführbar sein.
Werden die pre/post Scripte nicht wie erhofft ausgeführt (z.B. bei den Sicherchungs-Methoden "full/incr"), können diese explizit angegeben werden: pre_incr_post
Beispiel
Hier ein Beispiel für ein PRE/POST Skript welches vor dem Backup einen SQL-Dump aller Datenbanken erstellt und diesen nach dem Backup wieder löscht.
pre-Datei
/usr/bin/mysqldump --all-databases -u root -ppw> /tmp/sqldump-$(date '+%F')
post-Datei
/bin/rm /tmp/sqldump-$(date '+%F')
exclude
duply arbeitet standardmäßig mit einer Whitelist.
Um gewisse Verzeichnisse oder Dateien von einem Backup zu inkludieren muss die Datei exclude im duply Verzeichnis erstellt werden.
Die Syntax erlaubt das Hinzufügen von Verzeichnissen und Dateien mit einem + /pfad/zur/datei.
Um ein Verzeichnis zu exkludieren muss in der exclude ein - /pfad/zum/Verzeichnis eingefügt werden.
Zudem erlaubt duply die Verwendung von Wildcards.
Die hier dargestellte exclude Datei sichert die Verzeichnisse /etc/, /root/, /var/www/ und exkludiert alle anderen Verzeichnisse.
+ /etc/ + /root/ + /var/www/ - **
Parameter
duply bietet eine Vielzahl von Kommandozeilenparametern für die Sicherung und Wiederherstellung von Daten.
Die gesamte Liste ist in der Manpage von duply zu finden.
Beim Einsatz von mehreren Parameter werden diese durch einen Unterstrich (_) getrennt.
Mit /usr/bin/duply /root/.duply/test full_verify_purge --force wird ein volles Backup erstellt, verifiziert und alte Backups gelöscht.
Backups welche die MAX_AGE überschritten haben werden mit purge angezeigt und durch die zusätzliche Option --force gelöscht.
Der Befehl /usr/bin/duply /root/.duply/test incr führt ein inkrementelles Backup aus.
cronjob
Bei duply handelt es sich nicht um einen Dienst (Daemon), sondern um ein Skript, das z.B. regelmäßig via Cron ausgeführt werden kann.
Eine Beispielhafte cronjob-Konfiguration wäre:
0 0 * * 7 /usr/bin/duply /root/.duply/test full_verify_purge --force 0 0 * * 1-6 /usr/bin/duply /root/.duply/test incr
In dieser Konfiguration wird Sonntags um 0:00 ein Full-Backup erstellt und alte Backups gelöscht.
Montag bis Samstag wird jeden Tag ein inkrementelles Backup durchgeführt.
Neue cronjobs können mit crontab -e erstellt werden.
Hier ist anzumerken, dass für alle Kommandos und Konfigurationsdateien der absolute Pfad angegeben werden muss.
Weitere Informationen
- duply (duply.net)