Главная Обзор Помощь
Вход
mirrors
/
borg
зеркало из https://github.com/borgbackup/borg
2
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: 6df21df3f4
Ветки Метки
borg
/
docs
/
deployment.rst

deployment.rst 6.2 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166 
  1. .. include:: global.rst.inc
    2. 

  2. .. _deployment:
    3. 

  3. 

  4. Deployment
    5. 

  5. ==========
    6. 

  6. 

  7. This chapter will give an example how to setup a borg repository server for multiple
    8. 

  8. clients.
    9. 

  9. 

  10. Machines
    11. 

  11. --------
    12. 

  12. 

  13. There are multiple machines used in this chapter and will further be named by their
    14. 

  14. respective fully qualified domain name (fqdn).
    15. 

  15. 

  16. * The backup server: `backup01.srv.local`
    17. 

  17. * The clients:
    18. 

  18. 

  19.   - John Doe's desktop: `johndoe.clnt.local`
    20. 

  20.   - Webserver 01: `web01.srv.local`
    21. 

  21.   - Application server 01: `app01.srv.local`
    22. 

  22. 

  23. User and group
    24. 

  24. --------------
    25. 

  25. 

  26. The repository server needs to have only one UNIX user for all the clients.
    27. 

  27. Recommended user and group with additional settings:
    28. 

  28. 

  29. * User: `backup`
    30. 

  30. * Group: `backup`
    31. 

  31. * Shell: `/bin/bash` (or other capable to run the `borg serve` command)
    32. 

  32. * Home: `/home/backup`
    33. 

  33. 

  34. Most clients shall initiate a backup from the root user to catch all
    35. 

  35. users, groups and permissions (e.g. when backing up `/home`).
    36. 

  36. 

  37. Folders
    38. 

  38. -------
    39. 

  39. 

  40. The following folder tree layout is suggested on the repository server:
    41. 

  41. 

  42. * User home directory, /home/backup
    43. 

  43. * Repositories path (storage pool): /home/backup/repos
    44. 

  44. * Clients restricted paths (`/home/backup/repos/<client fqdn>`):
    45. 

  45. 

  46.   - johndoe.clnt.local: `/home/backup/repos/johndoe.clnt.local`
    47. 

  47.   - web01.srv.local: `/home/backup/repos/web01.srv.local`
    48. 

  48.   - app01.srv.local: `/home/backup/repos/app01.srv.local`
    49. 

  49. 

  50. Restrictions
    51. 

  51. ------------
    52. 

  52. 

  53. Borg is instructed to restrict clients into their own paths:
    54. 

  54. ``borg serve --restrict-path /home/backup/repos/<client fqdn>``
    55. 

  55. 

  56. There is only one ssh key per client allowed. Keys are added for ``johndoe.clnt.local``, ``web01.srv.local`` and
    57. 

  57. ``app01.srv.local``. But they will access the backup under only one UNIX user account as:
    58. 

  58. ``backup@backup01.srv.local``. Every key in ``$HOME/.ssh/authorized_keys`` has a
    59. 

  59. forced command and restrictions applied as shown below:
    60. 

  60. 

  61. ::
    62. 

  62. 

  63.   command="cd /home/backup/repos/<client fqdn>;
    64. 

  64.            borg serve --restrict-path /home/backup/repos/<client fqdn>",
    65. 

  65.            no-port-forwarding,no-X11-forwarding,no-pty,
    66. 

  66.            no-agent-forwarding,no-user-rc <keytype> <key> <host>
    67. 

  67. 

  68. .. note:: The text shown above needs to be written on a single line!
    69. 

  69. 

  70. The options which are added to the key will perform the following:
    71. 

  71. 

  72. 1. Change working directory
    73. 

  73. 2. Run ``borg serve`` restricted to the client base path
    74. 

  74. 3. Restrict ssh and do not allow stuff which imposes a security risk
    75. 

  75. 

  76. Due to the ``cd`` command we use, the server automatically changes the current
    77. 

  77. working directory. Then client doesn't need to have knowledge of the absolute
    78. 

  78. or relative remote repository path and can directly access the repositories at
    79. 

  79. ``<user>@<host>:<repo>``.
    80. 

  80. 

  81. .. note:: The setup above ignores all client given commandline parameters
    82. 

  82.           which are normally appended to the `borg serve` command.
    83. 

  83. 

  84. Client
    85. 

  85. ------
    86. 

  86. 

  87. The client needs to initialize the `pictures` repository like this:
    88. 

  88. 

  89.  borg init backup@backup01.srv.local:pictures
    90. 

  90. 

  91. Or with the full path (should actually never be used, as only for demonstrational purposes).
    92. 

  92. The server should automatically change the current working directory to the `<client fqdn>` folder.
    93. 

  93. 

  94.   borg init backup@backup01.srv.local:/home/backup/repos/johndoe.clnt.local/pictures
    95. 

  95. 

  96. When `johndoe.clnt.local` tries to access a not restricted path the following error is raised.
    97. 

  97. John Doe tries to backup into the Web 01 path:
    98. 

  98. 

  99.   borg init backup@backup01.srv.local:/home/backup/repos/web01.srv.local/pictures
    100. 

  100. 

  101. ::
    102. 

  102. 

  103.   ~~~ SNIP ~~~
    104. 

  104.   Remote: borg.remote.PathNotAllowed: /home/backup/repos/web01.srv.local/pictures
    105. 

  105.   ~~~ SNIP ~~~
    106. 

  106.   Repository path not allowed
    107. 

  107. 

  108. Ansible
    109. 

  109. -------
    110. 

  110. 

  111. Ansible takes care of all the system-specific commands to add the user, create the
    112. 

  112. folder. Even when the configuration is changed the repository server configuration is
    113. 

  113. satisfied and reproducible.
    114. 

  114. 

  115. Automate setting up an repository server with the user, group, folders and
    116. 

  116. permissions a Ansible playbook could be used. Keep in mind the playbook
    117. 

  117. uses the Arch Linux `pacman <https://www.archlinux.org/pacman/pacman.8.html>`_
    118. 

  118. package manager to install and keep borg up-to-date.
    119. 

  119. 

  120. ::
    121. 

  121. 

  122.   - hosts: backup01.srv.local
    123. 

  123.     vars:
    124. 

  124.       user: backup
    125. 

  125.       group: backup
    126. 

  126.       home: /home/backup
    127. 

  127.       pool: "{{ home }}/repos"
    128. 

  128.       auth_users:
    129. 

  129.         - host: johndoe.clnt.local
    130. 

  130.           key: "{{ lookup('file', '/path/to/keys/johndoe.clnt.local.pub') }}"
    131. 

  131.         - host: web01.clnt.local
    132. 

  132.           key: "{{ lookup('file', '/path/to/keys/web01.clnt.local.pub') }}"
    133. 

  133.         - host: app01.clnt.local
    134. 

  134.           key: "{{ lookup('file', '/path/to/keys/app01.clnt.local.pub') }}"
    135. 

  135.     tasks:
    136. 

  136.     - pacman: name=borg state=latest update_cache=yes
    137. 

  137.     - group: name="{{ group }}" state=present
    138. 

  138.     - user: name="{{ user }}" shell=/bin/bash home="{{ home }}" createhome=yes group="{{ group }}" groups= state=present
    139. 

  139.     - file: path="{{ home }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
    140. 

  140.     - file: path="{{ home }}/.ssh" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
    141. 

  141.     - file: path="{{ pool }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
    142. 

  142.     - authorized_key: user="{{ user }}"
    143. 

  143.                       key="{{ item.key }}"
    144. 

  144.                       key_options='command="cd {{ pool }}/{{ item.host }};borg serve --restrict-to-path {{ pool }}/{{ item.host }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
    145. 

  145.       with_items: auth_users
    146. 

  146.     - file: path="{{ home }}/.ssh/authorized_keys" owner="{{ user }}" group="{{ group }}" mode=0600 state=file
    147. 

  147.     - file: path="{{ pool }}/{{ item.host }}" owner="{{ user }}" group="{{ group }}" mode=0700 state=directory
    148. 

  148.       with_items: auth_users
    149. 

  149. 

  150. Enhancements
    151. 

  151. ------------
    152. 

  152. 

  153. As this chapter only describes a simple and effective setup it could be further
    154. 

  154. enhanced when supporting (a limited set) of client supplied commands. A wrapper
    155. 

  155. for starting `borg serve` could be written. Or borg itself could be enhanced to
    156. 

  156. autodetect it runs under SSH by checking the `SSH_ORIGINAL_COMMAND` environment
    157. 

  157. variable. This is left open for future improvements.
    158. 

  158. 

  159. When extending ssh autodetection in borg no external wrapper script is necessary
    160. 

  160. and no other interpreter or application has to be deployed.
    161. 

  161. 

  162. See also
    163. 

  163. --------
    164. 

  164. 

  165. * `SSH Daemon manpage <http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8>`_
    166. 

  166. * `Ansible <https://docs.ansible.com>`_
    167.