|
|
|
Steps we follow to backup AS LXC containers:
|
|
|
|
*Note: all system paths and parameters in this HOWTO are fictional.
|
|
|
|
|
|
|
|
Process
|
|
|
|
- stop the containers (because AS containers were created and managed by root user, they need root privlege to stop them. We solved this by allowing the specific lxc stop/start commands for the backup user via the sudoes.d configuration.)
|
|
|
|
- backup the containers
|
|
|
|
- restart the containers
|
|
|
|
|
|
|
|
System setup
|
|
|
|
- a backup 'user'
|
|
|
|
- ssh keys to access remote backup repo
|
|
|
|
- password for restic backup command
|
|
|
|
- bash script with the necessary commands to run the process above
|
|
|
|
- cron job added via the backup user to run the bash script on regular intervals.
|
|
|
|
|
|
|
|
Configuration of the system setup
|
|
|
|
1. How to access the remote backup repo?
|
|
|
|
- create new ssh keys for ssh access to the remote backup repo, and give directory flag for saving the keys under the desired directory.
|
|
|
|
- scp the new pub key in the remote backup repo, under the remote user's home .ssh/authorized_keys. Remote user is the one who owns the repo where our backups will be placed.
|
|
|
|
To securely copy the public key, we shall enable password authentication at remote's server file */etc/ssh/sshd_config*, and disable it after having copied the public key.
|
|
|
|
|
|
|
|
`$ ssh-copy-id -i ~/.ssh/other_key.pub user@remote-host`
|
|
|
|
https://www.simplified.guide/ssh/copy-public-key
|
|
|
|
|
|
|
|
2. How to run the backup command without root privelege when some of the filesystem to be backed-up is accessed only by root, aka execute a binary meant for root without being root?
|
|
|
|
The idea is to execute the restic binary from backup user's home or from /usr/bin.
|
|
|
|
|
|
|
|
<code> # useradd backupuser </code>
|
|
|
|
# creates the new user and a group with the same name
|
|
|
|
|
|
|
|
<code> # chown root:backupuser /usr/bin/restic</code>
|
|
|
|
# makes user root and group backupuser owners of the restic binary
|
|
|
|
<code> # chmod 750 /usr/bin/restic </code>
|
|
|
|
# user root has now read, write, execute permissions, and users in backupuser group can execute and read the restic binary
|
|
|
|
<code> # setcap cap_dac_read_search=+ep ~backupuser/bin/restic </code>
|
|
|
|
# assigns capabilities to backup the whole system
|
|
|
|
|
|
|
|
Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root |
|
|
|
\ No newline at end of file |