SSH/SFTP Rsync backups done with chroot

Rsync

Rsync, for those who aren’t familiar, is a file copy tool, which, after the first copy, will only send changes during subsequent updates. This makes it a very efficient tool, especially when used over an internet connection.

Anyway, to enable rsync from server A to server B, it is common to perform the login via key. This means that on Server A you’d generate a SSH keypair for your backup user, then copy the public key that was generated into the ~/.ssh/authorized_keys file for your backup user on Server B.

Because rsync is going to be executed automatically via cron script, it is necessary to create the key file without a password.

Jail

  • Configure your SSH server
    • Open up /etc/ssh/sshd_config
    • At the end of the file, tell SSH to create a chroot jail for your backup user:
      ChrootDirectory %h
      AllowTcpForwarding no
      PermitTunnel no
      X11Forwarding no

      Note, because of the way chroot works, you’ll need to make sure the chroot directory is owned by ROOT, even if it’s actually the home directory of your backup user.

  • Save, and restart your SSH server.

This gets you part of the way, you should now be able to SSH/SFTP into Server B using your backup user, and when connected, you will be restricted to the location set in ChrootDirectory.

Unfortunately, rsync needs more than this, and in order to copy files it’ll need access to the shell (I’m assuming bash), as well as the rsync application itself, together with whatever libraries are required.

Therefore, it becomes necessary to create a partial chroot image in the backup user’s chroot directory. You could do this the traditional way (e.g. by using something like debootstrap), which will create a mirror of your base operating system files in the chroot jail. However, this generally takes a few hundred megabytes at least, and if all you want is to copy some files, you don’t want to give access to more than you need.

Instead, I opt to create a skeleton chroot jail by hand.

The goal here is to mirror the filesystem of your server inside the chroot jail, so that if a file exists in /foo/bar, then you need to copy it to /home/backup-user/foo/bar, and make sure it’s owned by root.

  • Copy bash from /bin/bash to the directory /home/backup-user/bin/
  • Copy rsync (on my system this was in /usr/bin)
  • Next, you need to copy the symbolic link libraries to which these files are linked against. You can use the tool ldd to interrogate the executable and get a list of files to copy, e.g:
    root@server-b:/home/backup-user# ldd /bin/bash
        linux-vdso.so.1 =>  (0x00007fff52bff000)
        libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f412810a000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f4127f06000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4127b79000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f4128340000)

    Copy the files which have directories into the appropriate locations, e.g./lib/x86_64-linux-gnu/libtinfo.so.5 should go into/home/backup-user/lib/x86_64-linux-gnu/

  • Do the same for /usr/bin/rsync

Install Ubuntu Restricted Extras

sudo apt-get install ubuntu-restricted-extras

Ubuntu restricted extras is a single package contains lot of use full plugins and extras that essential for ubuntu. It is not installed by default due to the license restrictions of various softwares. Restricted Extras contains softwares given below.

flashplugin-installer
gstreamer0.10-ffmpeg
gstreamer0.10-fluendo-mp3n
gstreamer0.10-pitfdll
gstreamer0.10-plugins-bad
gstreamer0.10-plugins-ugly
gstreamer0.10-plugins-bad-multiverse
gstreamer0.10-plugins-ugly-multiverse
icedtea6-plugin
libavcodec-extra-52
libmp4v2-0
ttf-mscorefonts-installer
unrar

http://packages.ubuntu.com/quantal/ubuntu-restricted-extras

GRUB2 installs to USB device during installation

Every once in awhile I have a problem with Debian/Ubuntu installers running from USB thumb drives. What I think happens is the installer sees the USB drive first and the HDD second, so when it installs a bootloader, some information is written to the USB thumb drive that is needed to boot the computer. This is a problem because I don’t intend on leaving the USB thumb drive in the computer every time I need to boot it.

So my fix is quick and simple (and can be found all over the Internet). I only post it here so that I can easily find it in the future.

sudo grub-install /dev/sda # HDD device name
sudo update-grub

Good luck!

Ubuntu 11.10: Oneiric Ocelot

Today, Mark Shuttleworth announced the name of Ubuntu 11.10: Oneiric Ocelot.

Oneiric means “dreamy”, and the combination with Ocelot reminds me of the way innovation happens: part daydream, part discipline.

[…]

Natty is a stretch release: we set out to redefine the look and feel of the free desktop. We’ll need all the feedback we can get, so please test today’s daily, or A3, and file bug reports! Keep up the discipline and focus on the Narwhal, and let’s direct our daydreaming to the Ocelot.

http://www.markshuttleworth.com/archives/646

Ubuntu 10.04 LTS Released

The Ubuntu team is pleased to announce Ubuntu 10.04 LTS (Long-Term Support).
This release incorporates the Desktop Edition and the Server Edition. The
Server Edition can be used on physical servers, on Ubuntu Enterprise Cloud
(UEC), and on Amazon’s EC2 public cloud. Codenamed “Lucid Lynx”, 10.04 LTS
continues Ubuntu’s proud tradition of integrating the latest and greatest
open source technologies into a high-quality, easy-to-use Linux
distribution. Also available is the Ubuntu 10.04 Netbook Edition,
which is not a long-term support release.