Warning: rdiff-backup-2.0.x and rdiff-backup-1.1.x are incompatible
rdiff-backup is a tool that creates incremental backups using ssh to connect to remote hosts.
For security reasons, I run rdiff-backup as a none-privileged user. Because some files can only be read by root (think of /etc/shadow for exemple), I use sudo to get the needed privilegies.
I also disallow root logins in ssd_config, so ssh connections can't be done using the root account and sudo is needed
useradd -m backup
backup@pastouche:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/backup/.ssh/id_rsa): Created directory '/home/backup/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/backup/.ssh/id_rsa. Your public key has been saved in /home/backup/.ssh/id_rsa.pub. The key fingerprint is: 39:d4:7a:6f:c3:34:be:94:0e:10:4e:1d:ca:58:72:2b backup@pastouche
useradd -m backup
backup ALL= NOPASSWD: /usr/bin/rdiff-backup --server --restrict-read-only /
The classic way to use rdiff-backup is:
rdiff-backup client::/remote/dir /local/dirBecause we want to use sudo, we need to tweak the remote shema which is by default
ssh -C %s rdiff-backup --server, where %s is remplaced the the client hostname. Just add add a sudo to the previous command:
rdiff-backup --remote-schema 'ssh -C %s nice sudo /usr/bin/rdiff-backup --server --restrict-read-only /' client::/etc /srv/backup/test
--restrict-read-only /is a security to forbid writing on the client.
On the server, the user backup will connect to the client via ssh, authentificate itself with the rsa key and launch rdiff-backup in server mode with root privileges. Then, it will backup /etc to /srv/backup/test.
To backup the server, you can use an other remote schema that don't use ssh (remove the ssh overhead and CPU resources used for ssh compression) :
rdiff-backup --remote-schema '%s' 'nice sudo /usr/bin/rdiff-backup --server --restrict-read-only /'::/etc /srv/backup/test
rdiff-backup --remote-schema 'nice sudo /usr/bin/rdiff-backup --server --restrict-read-only /' localhost::/etc /srv/backup/testwon't work because there is no
You can now create you own script (you can have a look to mine or download it) on the server to mount the backup partition, backup each client to its own directory and umount the partition. Because backups can fail or last a really long time, don't forget to add a lock file to avoid multiple backups at the same time.
You can exclude/include directories using
--include. it's even possible to exclude/include from a file with
If you want to backup only part of /, you can use the following syntax (the order is important, include then exclude):
rdiff-backup --include-globbing-filelist $file --exclude '*' ....where $file points to a file with one directory per line.
Last update: 2008/02/20
2007/11/18: Initial creation
2008/02/20: Better user creation (use -m option)