Hi Nico,
Here's another approach to avoiding the slightly scary SSH key with remote root
situation: Have the central server pull as a non-root user, and use rsyncrypto
on the remote hosts to give the non-root backup user access to encrypted
versions of the non-world-readable files. This is a *pull* configuration,
which I realize wasn't your first choice, but it's simple and it works.
I've been using this setup for around a year and I'm pretty happy with it. I
just uploaded a (very) rough description to
https://github.com/ewa/rsyncrypto-rsnapshot-config .
-Eric
Thus spake Nico Kadel-Garcia (nkadel < at > gmail.com):
I'm back, I'm back. (Been quiet for years.)
I'm looking at an environment of roughly 100 boxes, all to back up to
an rsnapshot server. I'm very familiar with rsnapshot, but can't
necessarily get the owners of the boxes to allow me to install an SSH
key with root access, even wrapping the key in a 'validate-rsync.sh'
setup to assure it is used only for rsync. I've also reviewed the rssh
and chroot tools in the past, and they're unsuitable for the scattered
servers.
Now, I can, in theory, set up a central rsync server, with rsyncd.conf
set up to allow hosts to push to that server inside rsync based chroot
cages. I can then wrap rsnapshot on top of those pushed targets, even
using lock files from the pushing clients to protect them from
simultaneous rsnapshot operations, and manipulating rsnapshot "pre"
operations to merge materials from those rsync targets to the
rsnapshots and keep disk space usage down.
I've used that before very effectively, but it does leave packet
sniffing of the rsync protocol quite feasible. If I install SSH keys
for the clients to push to the server, then *THOSE* need root access,
and I've got to contain *those*.somehow.
I'd love to take advantage of somebody else already having done this,
but Google searches are not turning up well designed solutions for
this. I'm particularly looking for well integrated rsync over SSH
*push* setups. rssh only supports rsync pushing with complex chroot
cage setups, for each repository, and that gets nasty fast for a
hundred chroot cages, and I've not tried using these tools to support
rsync push targets.
Any well integrated solutions out there?
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense..
http://p.sf.net/sfu/splunk-d2d-c1
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss
--
Eric W. Anderson Electrical and Computer Engineering
andersoe < at > ece.cmu.edu Carnegie Mellon University
phone: +1-412-268-1908 Hamerschlag A311
PGP key fingerprint:
D3C5 D6FF EDED 9F1F C36D 53A3 74B7 53A6 3C74 5F12
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
rsnapshot-discuss mailing list
rsnapshot-discuss < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsnapshot-discuss
