|
This documentation is dedicated for scheduling backups with a bash script and a cron job for [LXC containers](https://linuxcontainers.org/)
|
|
### This documentation is dedicated for scheduling backups with a bash script and a cron job for [LXC containers](https://linuxcontainers.org/)
|
|
|
|
|
|
> A LXC container is like a virtual machine but it shares the kernel with the host server. While a docker container is single application oriented and its OS can be trimmed down to a very basic setup, e.g a Docker container can be started from a python image instead of an Ubuntu image, and only install the requited software for compiling and running a project. So LXC has a complete file system that supports a lot of I/O data operations and runs applications and services within one container - e.g wordpress and mysql.
|
|
> A LXC container is like a virtual machine but it shares the kernel with the host server. While a docker container is single application oriented and its OS can be trimmed down to a very basic setup, e.g a Docker container can be started from a python image instead of an Ubuntu image, and only install the requited software for compiling and running a project. So LXC has a complete file system that supports a lot of I/O data operations and runs applications and services within one container - e.g wordpress and mysql.
|
|
> https://www.educba.com/lxc-vs-docker/
|
|
> https://www.educba.com/lxc-vs-docker/
|
... | @@ -9,20 +9,20 @@ A simple tool for backups is [rsync](https://rsync.samba.org/) that copies files |
... | @@ -9,20 +9,20 @@ A simple tool for backups is [rsync](https://rsync.samba.org/) that copies files |
|
Steps we follow to backup LXC containers:
|
|
Steps we follow to backup LXC containers:
|
|
Note: all system paths and parameters in this HOWTO are fictional.
|
|
Note: all system paths and parameters in this HOWTO are fictional.
|
|
|
|
|
|
**Process**
|
|
### Process
|
|
- stop the containers (because AS containers were created and managed by root user, they need root privlege to stop them. We solved this by allowing the specific lxc stop/start commands for the backup user via the sudoes.d configuration.)
|
|
- stop the containers (*if containers were created by root user, we need root privilege to stop them. We solve this by allowing the specific lxc stop/start commands for the backup user via the *sudoes.d* configuration.*)
|
|
- backup the containers
|
|
- backup the containers
|
|
- restart the containers
|
|
- restart the containers
|
|
|
|
|
|
**System setup**
|
|
### System setup
|
|
- a backup 'user'
|
|
- a backup 'user'
|
|
- ssh keys to access remote backup repo
|
|
- ssh keys to access remote backup repo
|
|
- password for restic backup command
|
|
- password for restic backup command
|
|
- bash script with the necessary commands to run the process above
|
|
- bash script with the necessary commands to run the process above
|
|
- cron job added via the backup user to run the bash script on regular intervals.
|
|
- cron job added via the backup user to run the bash script on regular intervals.
|
|
|
|
|
|
Configuration of the system setup
|
|
### Configuration of the system setup
|
|
1. How to access the remote backup repo?
|
|
**1. How to access the remote backup repo?**
|
|
- create new ssh keys for ssh access to the remote backup repo, and give directory flag for saving the keys under the desired directory.
|
|
- create new ssh keys for ssh access to the remote backup repo, and give directory flag for saving the keys under the desired directory.
|
|
- scp the new pub key in the remote backup repo, under the remote user's home .ssh/authorized_keys. Remote user is the one who owns the repo where our backups will be placed.
|
|
- scp the new pub key in the remote backup repo, under the remote user's home .ssh/authorized_keys. Remote user is the one who owns the repo where our backups will be placed.
|
|
To securely copy the public key, we shall enable password authentication at remote's server file */etc/ssh/sshd_config*, and disable it after having copied the public key.
|
|
To securely copy the public key, we shall enable password authentication at remote's server file */etc/ssh/sshd_config*, and disable it after having copied the public key.
|
... | @@ -30,17 +30,19 @@ To securely copy the public key, we shall enable password authentication at remo |
... | @@ -30,17 +30,19 @@ To securely copy the public key, we shall enable password authentication at remo |
|
`$ ssh-copy-id -i ~/.ssh/other_key.pub user@remote-host`
|
|
`$ ssh-copy-id -i ~/.ssh/other_key.pub user@remote-host`
|
|
https://www.simplified.guide/ssh/copy-public-key
|
|
https://www.simplified.guide/ssh/copy-public-key
|
|
|
|
|
|
2. How to run the backup command without root privelege when some of the filesystem to be backed-up is accessed only by root, aka execute a binary meant for root without being root?
|
|
**2. How to run the backup command without root privilege**
|
|
The idea is to execute the restic binary from backup user's home or from /usr/bin.
|
|
The idea is to execute the restic binary with a backup user, aka execute a binary meant for root without being root.
|
|
|
|
As root we add a new user
|
|
|
|
`# useradd backupuser`
|
|
|
|
*creates the new user and a group with the same name*
|
|
|
|
|
|
<code> # useradd backupuser </code>
|
|
`# chown root:backupuser /usr/bin/restic`
|
|
# creates the new user and a group with the same name
|
|
*makes user root and group backupuser owners of the restic binary*
|
|
|
|
|
|
<code> # chown root:backupuser /usr/bin/restic</code>
|
|
`# chmod 750 /usr/bin/restic`
|
|
# makes user root and group backupuser owners of the restic binary
|
|
*user root has now read, write, execute permissions, and users in backupuser group can execute and read the restic binary*
|
|
<code> # chmod 750 /usr/bin/restic </code>
|
|
|
|
# user root has now read, write, execute permissions, and users in backupuser group can execute and read the restic binary
|
|
`# setcap cap_dac_read_search=+ep ~backupuser/bin/restic`
|
|
<code> # setcap cap_dac_read_search=+ep ~backupuser/bin/restic </code>
|
|
*assigns capabilities to backup the whole system*
|
|
# assigns capabilities to backup the whole system
|
|
|
|
|
|
|
|
Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root |
|
Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root |
|
|
|
\ No newline at end of file |