... | @@ -32,7 +32,6 @@ To securely copy the public key, we shall enable password authentication at remo |
... | @@ -32,7 +32,6 @@ To securely copy the public key, we shall enable password authentication at remo |
|
https://www.simplified.guide/ssh/copy-public-key
|
|
https://www.simplified.guide/ssh/copy-public-key
|
|
|
|
|
|
**2. How to run the backup command without root privilege?**
|
|
**2. How to run the backup command without root privilege?**
|
|
|
|
|
|
The idea is to execute the restic binary with a backup user, aka execute a binary meant for root without being root.
|
|
The idea is to execute the restic binary with a backup user, aka execute a binary meant for root without being root.
|
|
As root we add a new user
|
|
As root we add a new user
|
|
|
|
|
... | @@ -56,8 +55,8 @@ Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-s |
... | @@ -56,8 +55,8 @@ Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-s |
|
|
|
|
|
**3. How to run specific root commands by a non root user?**
|
|
**3. How to run specific root commands by a non root user?**
|
|
*Note: we need that for stopping, checking status and starting of the lxc containers.
|
|
*Note: we need that for stopping, checking status and starting of the lxc containers.
|
|
Best practice is to run our LXC containers rootless. This requires a different configuration of the containers' network setup, see details at
|
|
Best practice is to run our LXC containers rootless. This requires a different configuration of the containers' network setup, see details at*
|
|
https://www.cyberciti.biz/faq/how-to-create-unprivileged-linux-containers-on-ubuntu-linux/*
|
|
https://www.cyberciti.biz/faq/how-to-create-unprivileged-linux-containers-on-ubuntu-linux/
|
|
|
|
|
|
Here we will give the backupuser restricted root privilege for the specific lxc commands we need to run during the backup process.
|
|
Here we will give the backupuser restricted root privilege for the specific lxc commands we need to run during the backup process.
|
|
|
|
|
... | @@ -65,7 +64,30 @@ Give the backup user the access for specific commands to be executed as 'root'. |
... | @@ -65,7 +64,30 @@ Give the backup user the access for specific commands to be executed as 'root'. |
|
Add these commands in a new file under /etc/sudoers.d/
|
|
Add these commands in a new file under /etc/sudoers.d/
|
|
|
|
|
|
`vi /etc/sudoers.d/00-backupuser`
|
|
`vi /etc/sudoers.d/00-backupuser`
|
|
|
|
|
|
`bintibackup ALL=(ALL) NOPASSWD: /usr/bin/lxc-stop, /usr/bin/lxc-start, /usr/bin/lxc-info, /usr/bin/lxc-ls`
|
|
`bintibackup ALL=(ALL) NOPASSWD: /usr/bin/lxc-stop, /usr/bin/lxc-start, /usr/bin/lxc-info, /usr/bin/lxc-ls`
|
|
|
|
|
|
*https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/*
|
|
https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/
|
|
|
|
|
|
|
|
###Command to run backups from terminal
|
|
|
|
|
|
|
|
Needs the following parameters:
|
|
|
|
- path to password file:
|
|
|
|
PASSWORD="~backupuser/pass"
|
|
|
|
- absolute path to the remote backup repo:
|
|
|
|
remote-repo ="/var/backups"
|
|
|
|
- abosulte path to the directory we want to backup:
|
|
|
|
local-repo="/var/foo"
|
|
|
|
- remote host:
|
|
|
|
|
|
|
|
$host="backups.org"
|
|
|
|
|
|
|
|
$user="backuphost"
|
|
|
|
|
|
|
|
So the command becomes:
|
|
|
|
|
|
|
|
`& restic -p ~/backup/pass -r sftp:backuphost@backups.org:/var/backups --verbose backup /var/foo `
|
|
|
|
OR:
|
|
|
|
`# restic -p $PASSWORD -r sftp:$user@$host:$remote-path --verbose backup </code>
|
|
|
|
|
|
|
|
|