BackupPC

I’ve just started using BackupPC to backup my file server. It’s a disk-based solution – so if you want to archive to removable media such as DVD-R or tape, you need a separate archive step.

The advantage of BackupPC is supposed to be that it can do remote backups of every machine on your network, without needing special software to be loaded on each client machine. That’s true, but a little misleading. If you want to maintain security, then you need to do a little bit of setup on each client.

Configuration seemed unnecessarily awkward. Here’s what I did.

I use Debian Sarge, so basic installation was a breeze. The default configuration only allows for backing up Windows machines through Samba. That’s not a lot of use to me, so I needed to work out how to get it to backup localhost. There is a FAQ on the subject, but it wasn’t quite enough.

1. Prepare the backup partition.

Do this before you install the software, so that your data partition gets properly initialised as part of the installation.

# mkfs.xfs /dev/hdb1
# mkdir -p /var/lib/backuppc
# echo '/dev/hdb1  /var/lib/backuppc  xfs  defaults  0  2' >> /etc/fstab
# mount /var/lib/backuppc

XFS is quicker and more robust than EXT3, so I thought it would be a good choice for the backup filesystem. Debian’s version of BackupPC is hard coded to use /var/lib/backuppc as its data directory, so it makes sense to use that as the mount point.

2. Install the software

You will need backuppc and sudo.

# apt-get install backuppc sudo

If you want to backup remote machines as well as localhost, then it makes sense to install rsync too.

3. Create a tar-create script.

In order to back up the root partition, BackupPC needs to be able to read all files. To get that access, it needs root privilege. In order to prevent a compromise of the backup server leading to a compromise of the whole machine, we follow the FAQ’s advice and use sudo to allow backuppc to run a small shell script.

I found a couple of problems with the script suggested by the BackupPC documentation. Firstly, it incorrectly transferred command-line options to tar (it used $* rather than "$@"). Secondly it was insecure – leaving the -f option to be set by the server allowed an attacker to write a tar file anywhere on the system – that could easily be used to get elevated privileged, by writing it to /root/.profile for example. Here’s my version:

/etc/backuppc/tar-create:

!/bin/sh -f

exec /bin/tar -c -f - "$@"

Then, make this file executable by root, and use visudo to allow the backuppc user to execute it without needing a password:

backuppc ALL = NOPASSWD: /etc/backuppc/tar-create

4. Create a config.pl for localhost.

I had to re-read the documentation several times before I discovered where I was supposed to put per-host configuration options. It’s in a file called /var/lib/backuppc/pc/HOSTNAME/config.pl. Here’s my version for localhost:

/var/lib/backuppc/pc/localhost/config.pl:

Local server backup of / as user backuppc

$Conf{XferMethod} = 'tar'; $Conf{TarShareName} = ['/']; $Conf{TarClientCmd} = '/usr/bin/sudo /etc/backuppc/tar-create -v -C $shareName --totals'; $Conf{TarFullArgs} = '$fileList'; $Conf{TarIncrArgs} = '--newer=$incrDate $fileList'; $Conf{BackupFilesExclude} = ['/media', '/mnt', '/proc', '/var/lib/backuppc', '/sys'];

I tried adding the --one-file-system option to tar, and then listing the filesystems I wanted backing up. That didn’t work, because it always executes a single tar command, not one for each entry in BackupFilesInclude. Dumb. However I managed to get it to do what I wanted with BackupFilesExclude, albeit less elegantly.

I also had trouble with incremental backups. The default value of TarIncrArgs uses the ‘+’ form of $incrDate, which shell escapes it. This isn’t necessary for sudo which isn’t a shell. The --newer option was being ignored in incremental backups, which were consequently taking several hours. This was the tell-tale error log message…

Running: /usr/bin/sudo /etc/backuppc/tar-create -v -C / --totals --newer=2006-08-04\ 08:31:37 --exclude=./media (...)
Xfer PIDs are now 6857,6856
/bin/tar: Substituting 1901-12-13 20:45:52 for unknown date format `2006-08-04\\'
/bin/tar: 08\:31\:37: Cannot stat: No such file or directory

I redefined TarIncrArgs and TarFullArgs to eliminate the shell escapes, and all was well. Incremental backups now take minutes, rather than hours.

Comment · Comments Feed · TrackBack

  1. Marc Abramowitz » links for 2006-11-04 said,

    4 November, 2006 @ 19:13

    […] BackupPC tips – firetree.net Great tips for BackupPC, esp. how to backup localhost (tags: backup linux ubuntu) […]

  2. j1m said,

    15 February, 2007 @ 09:49

    In your example would it be possible to add the multi volume option -M and also -F for automatically running a script to chagne the tapes… “mtx -f /dev/sg1 next” (to auto change to next tape on my autoloader), rather than waiting for user input after tape change ?

    regards

  3. Martin Kurtsson said,

    14 March, 2007 @ 10:44

    Just wanted to say thank you for this information. Solved problems Ive been struggling with a long time.

    Thanks again

  4. Domenico Diacono said,

    1 August, 2007 @ 08:48

    Thanks a lot! Why don’t you submit this corrections to the developers of BackupPC, so they can include it in the docs?

    Thanks again Domenico

  5. 3vi1 said,

    16 October, 2007 @ 11:48

    Thanks for writing this up – very informative.

  6. tmwsiy said,

    27 February, 2009 @ 21:16

    Thanks for this!

    Can you suggest what the TarClientRestoreCmd should be?

  7. Jonnyboy said,

    26 May, 2010 @ 15:34

    These small changes are necessary to get the incremental backups to works properly. The should have been reflected in the BackupPC documentation long ago. I am glad that I found this page. Using the BackupPC docs will get the full backups to work, but not the incrementals.

    Thank you very much.

  8. Jonnyboy said,

    26 May, 2010 @ 16:09

    Can you suggest what the TarClientRestoreCmd should be?

    I also struggled with this and finally create a second script and name it tar-restore

    !/bin/sh -f

    exec /bin/tar -x -f – “$@”

    Make it executable

    add it to the sudoers list (visudo) backuppc ALL = NOPASSWD: /etc/backuppc/tar-restore

    then add this to localhost.pl $Conf{TarClientRestoreCmd} = ‘/usr/bin/sudo /etc/backuppc/tar-restore -x -p –numeric-owner –same-owner -v -C $shareName';

    There may be other ways to accomplish this, but this worked for me. One note, if you restore to an alternate location, the path must exit prior to running the restore, it can not create the path.

  9. Jonnyboy said,

    26 May, 2010 @ 16:11

    One more note: this blog does not get the “- -” correct, notice it merges the into “–“.

  10. Name said,

    2 April, 2015 @ 12:20

    totally outdated I know… but I still didn’t found a good solution for the one-file-system / + /home problem.

    So, about: Local server backup of / as user backuppc I also had trouble with incremental backups ;) I changed from sudo to ssh and got the “08\:31\:37: Cannot stat” errors because of the missing “+” ….. Thanks for the hint :)

    And I was so unsatisfied with the BackupFilesExclude command that I extend my /etc/hosts 127.0.0.1 row by another entry “localhost-home”. Now I can create two different backups for localhost. One with / and one with /home and both with the same –one-file-system tar command. But maybe I should choose another name … the navigation bar entry is “localhost-home Home”.

    just fyi

Leave a Comment

Sponsors