Project

General

Profile

History

Wiki ยป

Backup Setup when we don't have root » History » Revision 3

Revision 1 (Jon Goldberg, 08/30/2021 06:35 PM) → Revision 3/5 (Jon Goldberg, 08/30/2021 09:37 PM) 

# Backup Setup when we don't have root 

 We normally rely on a modified version `backupninja` for backup, which requires root access.    When we don't have root access but we do have `borgbackup`, we have a modified procedure for backing up to rsync.net using borgbackup. 

 In the example below, `1234` should be your rsync.net user number, `yourrsyncserver.rsync.net` should be your rsync.net server (e.g. `usw-s008.rsync.net`). `clientname` and `servershortname` can be anything you want as long as they're consistent between `borg init` and the shell script. `server.longname.org` should be the name of the server as Icinga knows it. `/path/to/back/up` should be the path you want to back up.    You can have more than one, separated by spaces. 

 Run all the following on a local computer that has its public key on the rsync.net server. 

 ```shell 
 # Get the public key for the SSH user who will be running the backup on the client's server. 
 # Add it to the rsync.net account: 
 echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1SlLpapSVuMm5O35LN/FWNa8DmRgxYRiaIhcrlFetmso3/+6s2ZGaMHtheTmfZuCm9VNHHp3YHXYqsDPPLuxFg4iKw7ccDc6nRRV32rl5doQE6708fZc6dMp4hFIGNLA1RBFvK/7bGBdQw+ryG/rKFuW7o1X2DrhWRYPVwavjqci2NiHEB5SwjLzetXKF6VLnoZxERZJcBG0d8uQ/EgbcMLN4xXbDDsNsofM4wok0aMULucogSvayHezu5HDt6Dta8iDaWbqQtJwtpcgWrqy+HTPZTxJ5PtZuOfG4KrVR0R+TQSdYe6CFFevGPp3TujO03h885zyXPiLqjEmrVLkt " | ssh 1234@yourrsyncserver.rsync.net 'dd of=.ssh/authorized_keys oflag=append conv=notrunc' 
 # Create a borg repo. 
 borg init 1234@yourrsyncserver.rsync.net:clientname-servershortname -e repokey --remote-path=/usr/local/bin/borg1/borg1 
 ``` 

 Then, drop this script on the server (e.g. in `$HOME/bin`): 
 ```shell 
 #!/bin/bash 
 # borg backupninja backup script 
 REPOSITORY="1234@yourrsyncserver.rsync.net:clientname-servershortname" 
 export BORG_PASSPHRASE='StrongPassphrase' 
 # On rsync.net: Specify /usr/local/bin/borg/borg for borg 0.29; /usr/local/bin/borg1 for 1.x 
 REMOTE_PATH=/usr/local/bin/borg1/borg1 

 ICINGA2_API_USER=backupninja 
 ICINGA2_SERVER_ADDRESS=icinga.megaphonetech.com 
 ICINGA2_API_PORT=5665 
 ICINGA2_API_PASSWORD=<Icinga2 API password> 
 ICINGA2_HOSTNAME=server.longname.org 
 # Set level to 0, "OK", and we'll change it if anything goes wrong. 
 LEVEL=0 
 # Run the backup. 
 OUTPUT=$( ( 
 /usr/bin/borg create --warning --filter=AME --stats    --list --compression lz4           \ 
 --remote-path $REMOTE_PATH \ 
 $REPOSITORY::'{hostname}-{now:%Y-%m-%d}' \ 
 /path/to/back/up \ 
 --exclude '*/templates_c' \ 
 --exclude '*/Maildir' \ 
 --exclude '.config/borg' \ 
 --exclude '*/civicrm/upload/cache' 
 ) 2>&1) 
 if [ $? -ne 0 ] 
 then 
   LEVEL=2 
 fi 

 # Remove old backups. 
 OUTPUT=${OUTPUT}\\n$( OUTPUT=${OUTPUT}\n$( ( 
 /usr/bin/borg prune -v $REPOSITORY --prefix '{hostname}-' --keep-daily=15 --keep-weekly=9 --keep-monthly=6 --remote-path $REMOTE_PATH 
 ) 2>&1) 
 if [ $? -ne 0 ] 
   then 
   LEVEL=2 
 fi 

 # Check the integrity of the backup. 
 OUTPUT=${OUTPUT}\\n$( OUTPUT=${OUTPUT}\n$( ( 
 /usr/bin/borg check $REPOSITORY --remote-path $REMOTE_PATH 
 ) 2>&1) 
 if [ $? -ne 0 ] 
   then 
   LEVEL=2 
 fi 
 unset BORG_PASSPHRASE 
 # Send to Icinga 
 DATA="{ \"exit_status\": $LEVEL, \"plugin_output\": \"${OUTPUT}\" }" 
 /usr/bin/curl -k -s -u $ICINGA2_API_USER:$ICINGA2_API_PASSWORD -H 'Accept: application/json' -X POST "https://$ICINGA2_SERVER_ADDRESS:$ICINGA2_API_PORT/v1/actions/process-check-result?service=${ICINGA2_HOSTNAME}!backupninja" --data "${DATA}" > "{ \"exit_status\": $LEVEL, \"plugin_output\": $OUTPUT}" #> /dev/null 
 # Reschedule the next dummy backupninja check 
 RESCHEDULE_TIME=$(/bin/date -d "tomorrow 6am" "+%s") 
 RESCHEDULE_JSON="{ \"next_check\": \"${RESCHEDULE_TIME}\" }" 
 /usr/bin/curl -k -s -u $ICINGA2_API_USER:$ICINGA2_API_PASSWORD -H 'Accept: application/json' -X POST "https://$ICINGA2_SERVER_ADDRESS:$ICINGA2_API_PORT/v1/actions/reschedule-check?service=${ICINGA2_HOSTNAME}!backupninja" "https://$ICINGA2_SERVER_ADDRESS:$ICINGA2_API_PORT/v1/actions/process-check-result?service=${ICINGA2_HOSTNAME}!backupninja" --data "${RESCHEDULE_JSON}" > "{ \"next_check\": \"${RESCHEDULE_TIME}\"}" #> /dev/null 
 ``` 

 `chmod +x` this file, then add it to the user's `crontab`. 
 Add `vars.has_backupninja = true` to the server's Icinga config and restart Icinga.